CVE-2002-0710
CVSS6.4
发布时间 :2002-08-12 00:00:00
修订时间 :2016-10-17 22:21:40
NMCOP    

[原文]Directory traversal vulnerability in sendform.cgi 1.44 and earlier allows remote attackers to read arbitrary files by specifying the desired files in the BlurbFilePath parameter.


[CNNVD]Rod Clark sendform.cgi远程可获得任意文件漏洞(CNNVD-200208-048)

        
        sendform.cgi是一个用来通知用户其表单已经提交的CGI脚本,它可以从服务器读取一个告示文件并通过email发送给用户。
        sendform.cgi实现上存在输入验证漏洞,远程攻击者可以利用此漏洞获取主机上的任意文件。
        sendform.cgi中BlurbFilePath参数用于指定告示文件路径,而脚本对此用户可以控制的变量值未做检查和过滤,因此远程攻击者可以直接指定文件在服务上的绝对路径(比如/etc/passwd)就可以让服务器把相应的文件发送到自己的邮箱中。
        

- CVSS (基础分值)

CVSS分值: 6.4 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:rod_clark:sendform.cgi:1.4
cpe:/a:rod_clark:sendform.cgi:1.4.1
cpe:/a:rod_clark:sendform.cgi:1.4.2
cpe:/a:rod_clark:sendform.cgi:1.4.3
cpe:/a:rod_clark:sendform.cgi:1.4.4

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0710
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0710
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200208-048
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=102809084218422&w=2
(UNKNOWN)  BUGTRAQ  20020730 Directory traversal vulnerability in sendform.cgi
http://www.iss.net/security_center/static/9725.php
(UNKNOWN)  XF  sendform-blurbfile-directory-traversal(9725)
http://www.scn.org/~bb615/scripts/sendform.html
(VENDOR_ADVISORY)  CONFIRM  http://www.scn.org/~bb615/scripts/sendform.html
http://www.securityfocus.com/bid/5286
(UNKNOWN)  BID  5286

- 漏洞信息

Rod Clark sendform.cgi远程可获得任意文件漏洞
中危 输入验证
2002-08-12 00:00:00 2005-05-02 00:00:00
远程  
        
        sendform.cgi是一个用来通知用户其表单已经提交的CGI脚本,它可以从服务器读取一个告示文件并通过email发送给用户。
        sendform.cgi实现上存在输入验证漏洞,远程攻击者可以利用此漏洞获取主机上的任意文件。
        sendform.cgi中BlurbFilePath参数用于指定告示文件路径,而脚本对此用户可以控制的变量值未做检查和过滤,因此远程攻击者可以直接指定文件在服务上的绝对路径(比如/etc/passwd)就可以让服务器把相应的文件发送到自己的邮箱中。
        

- 公告与补丁

        厂商补丁:
        Rod Clark
        ---------
        目前厂商已经在新版软件中修复了这个安全问题,请到厂商的主页下载:
        
        http://www.scn.org/~bb615/scripts/sendform.html

- 漏洞信息 (F26493)

sendform.cgi.txt (PacketStormID:F26493)
2002-07-31 00:00:00
Brian Caswell,Steven M. Christey  
remote,web,cgi
CVE-2002-0710
[点击下载]

Sendform.cgi v1.4.4 and below has a directory traversal vulnerability which allows remote attackers to read any file with the privileges of the web server. Fix available here. Bugtraq ID 5286.

___ Summary __________________________________________________________

       Title: Directory traversal vulnerability in sendform.cgi
        Date: July 30, 2002
      Author: Steve Christey (coley@mitre.org)
     Credits: Brian Caswell (bmc@mitre.org)
              Erik Tayler (erik@DIGITALDEFENSE.NET)
      Vendor: Rod Clark
     Product: sendform.cgi
 Product URL: http://www.scn.org/~bb615/scripts/sendform.html
 OS/Platform: Unix
    Versions: All versions 1.4.4 and earlier, primarily before 1.4
      Impact: Remote unauthenticated attackers can read arbitrary files
              with the privileges of the web server.
        Risk: High
    Solution: Upgrade to v1.45.  A workaround is available, but it
              reduces functionality.
 Identifiers: CVE (CAN-2002-0710), Bugtraq ID (5286)


___ Introduction _____________________________________________________

  Rod Clark's sendform.cgi is a CGI program that reads form data and
  sends it to a program-specified administrator.  An optional
  capability can send additional "blurb files" to the e-mail address
  that is provided in the form.

  Unfortunately, any remote attacker can use sendform.cgi to read
  arbitrary files with the privileges of the web server by modifying
  the BlurbFilePath parameter to reference the desired files.


___ Details __________________________________________________________

  When sendform.cgi is used to notify a user that their form has been
  submitted, it can read "blurb files" from the web server and send
  them in an email to the user.  A remote attacker can manipulate the
  BlurbFilePath parameter to identify any target file (or set of
  files) on the web server, such as /etc/passwd.  The "email"
  parameter can then be modified to point to the attacker's own email
  address, and the SendCopyToUser parameter set to "yes."  When the
  attacker submits the full request to sendform.cgi, a copy of the
  target file will be sent to the attacker.  There may be alternate
  attack vectors that do not require the SendCopyToUser parameter.

  If the attacker can write files to the web server running
  sendform.cgi, then the attacker can fully control the content of the
  e-mail message and send it to arbitrary e-mail addresses.  Since
  other form fields such as the subject line are under attacker
  control, sendform.cgi could then be used as a "spam proxy," in a
  fashion similar to the well-known vulnerability in formmail.pl [1].

  The filename that is provided to BlurbFilePath does not have to
  contain .. characters to escape the web root.  An absolute pathname
  will also work.  Since sendform.cgi only allows a small range of
  characters, plus the .. and /, the attacker can not execute commands
  via shell metacharacters, or redirect output to other files.

  It should be noted that there appear to be multiple programs named
  "sendform.cgi," including custom CGI scripts, which are unrelated to
  the product being discussed in this advisory.


___ Solution _________________________________________________________

  Upgrade to the current version, found at:

  http://www.scn.org/~bb615/scripts/sendform.html

  The only feasible workaround is to disable the Blurb File feature by
  commenting out calls to the functions MailFirstBlurbFile() and
  MailOtherBlurbFiles().

  Thanks to Rod Clark for diligently addressing this vulnerability.


___ Vulnerability Identifiers ________________________________________

  The Common Vulnerabilities and Exposures (CVE) project has assigned
  the name CAN-2002-0710 [2] to this issue. This is a candidate for
  inclusion in the CVE list (http://cve.mitre.org), which standardizes
  names for security problems.

  The SecurityFocus VulnHelp team (vulnhelp@securityfocus.com) has
  assigned Bugtraq ID 5286 [3] to this issue.


___ Disclosure Policy ________________________________________________

  Disclosure of this vulnerability has been conducted in accordance
  with the "Responsible Vulnerability Disclosure Process" draft,
  currently published at:

  http://www.ietf.org/internet-drafts/draft-christey-wysopal-vuln-disclosure-00.txt


___ Disclosure History _______________________________________________

  2002/05/10: initial discovery of suspicious code
  2002/05/16: vulnerability verified
  2002/05/16: initial notification to vendor
  2002/05/16: vendor acknowledges receipt
  2002/06/14: vendor updated web site with patched version for review
  2002/06/17: tested patched version, made some recommendations
  2002/06/24: beginning of vacation, sweet vacation
  2002/07/15: vendor provides most recent version
  2002/07/18: final suggestions to vendor (tiny hole still left)
  2002/07/18: CVE candidate obtained
  2002/07/20: vendor releases final version
  2002/07/23: Bugtraq ID obtained
  2002/07/23: final version verified
  2002/07/30: advisory released

  This vulnerability was originally discovered while researching a
  Snort IDS signature with Brian Caswell (bmc@mitre.org).  The
  signature apparently originated from a post to the Vuln-Dev mailing
  list on January 24, 2001, by Erik Tayler [4], who inquired about
  directory traversal attacks on sendform.

  Approximately 5 hours were spent researching the vulnerability.  An
  additional 10-15 hours were spent consulting with the vendor and
  evaluating patches.


___ References _______________________________________________________

  [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0357

  [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0710

  [3] http://www.securityfocus.com/bid/5286
  
  [4] http://marc.theaimsgroup.com/?l=vuln-dev&m=98039690620489&w=2


___ EOF ______________________________________________________________

    

- 漏洞信息

3568
sendform.cgi BlurbFilePath Arbitrary File Access

- 漏洞描述

sendform.cgi contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when an attacker sends a specially crafted URL to a vulnerable server, which will display the contents of arbitrary files with the privileges of the web server resulting in a loss of confidentiality.

- 时间线

2002-07-22 2002-07-22
Unknow Unknow

- 解决方案

Upgrade to version 1.45 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站