Vulnerabilities > CVE-2017-5615 - Open Redirect vulnerability in Cpanel Cgiecho and Cgiemail
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
NONE Summary
cgiemail and cgiecho allow remote attackers to inject HTTP headers via a newline character in the redirect location.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 2 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Fake the Source of Data An adversary provides data under a falsified identity. The purpose of using the falsified identity may be to prevent traceability of the provided data or it might be an attempt by the adversary to assume the rights granted to another identity. One of the simplest forms of this attack would be the creation of an email message with a modified "From" field in order to appear that the message was sent from someone other than the actual sender. Results of the attack vary depending on the details of the attack, but common results include privilege escalation, obfuscation of other attacks, and data corruption/manipulation.
Nessus
| NASL family | Debian Local Security Checks |
| NASL id | DEBIAN_DLA-869.NASL |
| description | The cPanel Security Team discovered several security vulnerabilities in cgiemail, a CGI program used to create HTML forms for sending mails : CVE-2017-5613 A format string injection vulnerability allowed to supply arbitrary format strings to cgiemail and cgiecho. A local attacker with permissions to provide a cgiemail template could use this vulnerability to execute code as webserver user. Format strings in cgiemail tempaltes are now restricted to simple %s, %U and %H sequences. CVE-2017-5614 An open redirect vulnerability in cgiemail and cgiecho binaries could be exploited by a local attacker to force redirect to an arbitrary URL. These redirects are now limited to the domain that handled the request. CVE-2017-5615 A vulnerability in cgiemail and cgiecho binaries allowed injection of additional HTTP headers. Newline characters are now stripped from the redirect location to protect against this. CVE-2017-5616 Missing escaping of the addendum parameter lead to a reflected cross-site (XSS) vulnerability in cgiemail and cgiecho binaries. The output is now html escaped. For Debian 7 |
| last seen | 2020-03-17 |
| modified | 2017-03-27 |
| plugin id | 97964 |
| published | 2017-03-27 |
| reporter | This script is Copyright (C) 2017-2020 Tenable Network Security, Inc. |
| source | https://www.tenable.com/plugins/nessus/97964 |
| title | Debian DLA-869-1 : cgiemail security update |
Seebug
| bulletinFamily | exploit |
| description | > [] SEC-212 Format string injection > > The ability to supply arbitrary format strings to cgiemail and > cgiecho allowed code execution whenever a user was able to provide a > cgiemail template file. Use CVE-2017-5613. > [] SEC-214 Open redirect > > The cgiemail and cgiecho binaries served as an open redirect due to > their handling of the success and failure parameters. Use CVE-2017-5614. > [] SEC-215 HTTP header injection > > The handling of redirects in cgiemail and cgiecho did not protect > against the injection of additional HTTP headers. Use CVE-2017-5615. > [] Reflected XSS vulnerability > > The "addendum" parameter was reflected without any escaping in > success and error messages produced by cgiemail and cgiecho. Use CVE-2017-5616. |
| id | SSV:92980 |
| last seen | 2017-11-19 |
| modified | 2017-04-21 |
| published | 2017-04-21 |
| reporter | Root |
| title | cgiemail and cgiecho Multiple Security Vulnerabilities (CVE-2017-5613) |