[thelist] Re: blasterattacko at aol.com?

Kevin Martin evolt at brasscannon.net
Mon Mar 22 08:26:47 CST 2004


Quoth John.Brooking at sappi.com,
> I just received an email sent from my contact form at [1] which consisted of
> the following:
>    >From: blasterattacko at aol.com, "To:blasterattacko"@aol.com, 
>    > "From:blasterattacko"@aol.com 

etc.

> [...] Not that too I'm worried about this specific
> attack, but I'm just wondering if it's an indication of some kind of
> security hole in my contact form script. Or, more optimistically, an
> indication that there was some attack which didn't work?

The latter, most likely.  The guy is looking for a cgiemail binary 
specifically (or possibly a formmail.cgi) that doesn't completely 
strip ALL header fields.  This was published as a vulnerability of
cgiemail, but when cgiemail is configured right the exploit fails.

Details at http://handsonhowto.com/cgi103.html

(I let ONE of these through a few months back, then closed it up,
and the little idiot kept hammering it for weeks afterward.  He
was targetting AOL exclusively, and my contact at AOL Security
indicated they'd squash him like a bug. I haven't seen any signs
of that...yet.)


More information about the thelist mailing list