[thelist] Re: blasterattacko at aol.com?

Tue Mar 23 13:17:40 CST 2004

Quoth John.Brooking at sappi.com
> >Details at http://handsonhowto.com/cgi103.html
> 
> Thanks for that URL, Kevin! I read it and realized that my script also
> passed along unfiltered header fields, as I had not heard of that particular
> exploit. Although it looks like this attempt didn't work (and I have not
> seen any more attempts), I still have gone back and modified my script to
> filter those fields, allowing only alphanumerics, a space, and most but not
> all punctuation. Notably, no CR/LF's or other control characters, no pipes,
> and no redirections (< and >).

You also have to look for Unicode CR/LF equivalents, or anything
that "unescapes" to become a CR/LF.  (That's the "arms race" to
which I alluded.)

Basically, Internet email consists of a header, one blank line,
and a body.  (I'm waving my hands frantically at this point.)
If the bad guys can insert a CR/LF into a header line, they can
follow it with CC: and BCC: lines until their fingers get tired,
and you get the blame for what ensues.  They can try all sorts
of ways to do that, and you have to block ALL of them.  If the
header is completely static, that problem goes away. I'm both
lazy and paranoid, so that's the solution I use.

> Just to confirm: It doesn't matter what characters are in the *body*?

The bad guys can try to end the message prematurely in the hopes 
that your mailer will accept what follows as a new message... but
most web-to-mail software doesn't queue up multiple messages, so
I don't know of a sequence that would achieve that.  I'm sure our
friend blasterattacko WOULD do that if he could figure out how.

If you telnet to your SMTP port and negotiate the dialog to send
a message, it tells you to end your message by typing a period
on a line by itself, followed by a CR/LF.

If inserting this sequence into a message and following it up
with faked headers does NOT result in a second message being sent,
you're in pretty good shape.  Hmm, I'd better give that a shot
with cgiemail to make sure it does the right thing!

> If you're wondering why I don't just use cgiemail, my script has additional
> functionality that I like. It is specifically written as a mailto: tag
> replacement.  [...] It can
> also function like formmail or cgiemail, passing along the values of any
> other form fields it finds (in the message body).

Interesting.  I spend hours fighting spam and spammers every day,
and really hated having to replace my mailto: links because of them.
Sounds like you have an interesting alternative.  Thanks for sharing
it!

> If anyone is using my script [2], which I first posted earlier this month,
> please download and install the new version immediately! (Recommended method
> for this is to make a copy of your "customization" section, then overwrite
> the complete script and paste your customization section back into the new
> version.)
> 
> Thanks again, Kevin!

You're welcome!

>[2] My script: http://www.pobox.com/~JohnBrook/codelib/