Vulnerabilities > CVE-2017-5615 - Open Redirect vulnerability in Cpanel Cgiecho and Cgiemail

047910
CVSS 5.8 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
NONE
network
cpanel
CWE-601
nessus

Summary

cgiemail and cgiecho allow remote attackers to inject HTTP headers via a newline character in the redirect location.

Vulnerable Configurations

Part Description Count
Application
Cpanel
2

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Fake the Source of Data
    An adversary provides data under a falsified identity. The purpose of using the falsified identity may be to prevent traceability of the provided data or it might be an attempt by the adversary to assume the rights granted to another identity. One of the simplest forms of this attack would be the creation of an email message with a modified "From" field in order to appear that the message was sent from someone other than the actual sender. Results of the attack vary depending on the details of the attack, but common results include privilege escalation, obfuscation of other attacks, and data corruption/manipulation.

Nessus

NASL familyDebian Local Security Checks
NASL idDEBIAN_DLA-869.NASL
descriptionThe cPanel Security Team discovered several security vulnerabilities in cgiemail, a CGI program used to create HTML forms for sending mails : CVE-2017-5613 A format string injection vulnerability allowed to supply arbitrary format strings to cgiemail and cgiecho. A local attacker with permissions to provide a cgiemail template could use this vulnerability to execute code as webserver user. Format strings in cgiemail tempaltes are now restricted to simple %s, %U and %H sequences. CVE-2017-5614 An open redirect vulnerability in cgiemail and cgiecho binaries could be exploited by a local attacker to force redirect to an arbitrary URL. These redirects are now limited to the domain that handled the request. CVE-2017-5615 A vulnerability in cgiemail and cgiecho binaries allowed injection of additional HTTP headers. Newline characters are now stripped from the redirect location to protect against this. CVE-2017-5616 Missing escaping of the addendum parameter lead to a reflected cross-site (XSS) vulnerability in cgiemail and cgiecho binaries. The output is now html escaped. For Debian 7
last seen2020-03-17
modified2017-03-27
plugin id97964
published2017-03-27
reporterThis script is Copyright (C) 2017-2020 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/97964
titleDebian DLA-869-1 : cgiemail security update

Seebug

bulletinFamilyexploit
description> [] SEC-212 Format string injection > > The ability to supply arbitrary format strings to cgiemail and > cgiecho allowed code execution whenever a user was able to provide a > cgiemail template file. Use CVE-2017-5613. > [] SEC-214 Open redirect > > The cgiemail and cgiecho binaries served as an open redirect due to > their handling of the success and failure parameters. Use CVE-2017-5614. > [] SEC-215 HTTP header injection > > The handling of redirects in cgiemail and cgiecho did not protect > against the injection of additional HTTP headers. Use CVE-2017-5615. > [] Reflected XSS vulnerability > > The "addendum" parameter was reflected without any escaping in > success and error messages produced by cgiemail and cgiecho. Use CVE-2017-5616.
idSSV:92980
last seen2017-11-19
modified2017-04-21
published2017-04-21
reporterRoot
titlecgiemail and cgiecho Multiple Security Vulnerabilities (CVE-2017-5613)