[Snort-sigs] Documentation rule 884

Kevin Binsfield kbinsfield at ...1551...
Tue Dec 2 13:59:01 EST 2003

# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id$

Rule: 884

Sid: WEB-CGI formmail access 

Summary: A popular perl script (FormMail) by Matt Wright which emails
output of web forms.

Impact: Several vulnerabilities include server access, information
disclosure, spam relaying and mail anonymizing.

Detailed Information: Early versions (1.6 and prior) had several
vulnerabilities (Spam engine, ability to run commands under server id
and set environment variables) and should be upgraded immediately. Newer
versions can still be used by spammers for anonymizing email and
defeating email relay controls.

Affected Systems: All webservers with a working installation of this
perl script.

Attack Scenarios: Information can be appended to the URL to use your
mail gateway avoiding SMTP relay controls. HTTP header information can
be manipulated to avoid access control methods in script. Allows SMTP
exploits that are normally available only to trusted (local) users such
as Sendmail % hack.

Ease of Attack: Attacks range from trivial to complex scripts.

False Positives: Legitimate use of the script can cause alerts. Verify
packet payload and watch web/mailserver logfiles.

False Negatives: Signature only looks for the script with it's original

Corrective Action: Upgrade and use discretion with script variables.

Contributors: Kevin Binsfield (IDS at ...2047...)

Additional References:

arachnids: 226
cve: CVE-1999-0172
bugtraq: 1187
nessus: 10076
nessus: 10782

More information about the Snort-sigs mailing list