GEN:SID | 1:1610 |
Message | WEB-CGI formmail arbitrary command execution attempt |
Summary | An attempt to access a script (formmail) in the cgi-bin which has known vulnerabilities. #generic here, can be re-used for future issues
Formmail is a freely available perl script that is used to send data collected via a form to specified addresses.
|
Impact | Attempt to gain information about the web-server environment variables. Could also be an attempt to execute commands on the web-server that will execute with the privilege of the user owning the daemon running the server. The script may also be used to relay SPAM or to disclose the contents of files on the host.
|
Detailed Information | This could be an attempt to gain intelligence about the web-server that might be used to further exploit the machine. The environment variables of the web-server might be retrieved and sent via email to an address of the attackers choosing. More importantly this could be an attempt to execute commands on the web-server. Should this be successful, the commands would execute with the privileges of the user owning the httpd daemon.
|
Affected Systems | |
Attack Scenarios | Formmail receives information from a form via an HTTP POST. This includes the email addresses to which the form data is sent. A URI in the form of a POST to the formmail script could be crafted to send environment variables to a specified email address.
#I could include an example of the post, but I don't think that's wise.
|
Ease of Attack | Simple HTTP POST.
#I am not sure if this section is warranted, since how hard an attack might be is inconsequential if you are the target
|
Corrective Action | Web-servers should not be allowed to view or execute files and binaries outside of it's designated web root or cgi-bin. The web-server httpd daemon should be run as a non-privileged user without login access to the host. The formmail script should be updated to a non-vulnerable version as soon as possible.
|
Additional References | http://www.whitehats.com/info/IDS/226 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0172 http://www.securityfocus.com/bid/1187 http://cgi.nessus.org/plugins/dump.php3?id=10076 http://cgi.nessus.org/plugins/dump.php3?id=10782
|
Rule References | arachnids: 226
bugtraq: 1187
bugtraq: 2079
cve: 1999-0172
cve: 2000-0411
nessus: 10076
nessus: 10782
|