JVN#39570254 CGI RESCUE WebFORM allows unauthorized email transmission

Overview

WebFORM from CGI RESCUE is software which delivers the HTML form inputs via email. WebFORM fails to check the mail headers properly, allowing a remote attacker to send email to arbitrary addresses.

Products Affected

WebFORM 4.1 and earlier

According to the vendor's information, FORM2MAIL also contains a similar vulnerability, and the fixed version of FORM2MAIL is available.

Description

Impact

A remote attacker may send emails to arbitrary addresses.

Solution

Vendor Status

Vendor	Link
CGI RESCUE	Top Page
	http://www.rescue.ne.jp/cgi/webform/

References

JPCERT/CC Addendum

Credit

Tomohito Yoshino of Business Architects Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the vendors under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE
JVN iPedia	JVNDB-2006-000624