[thelist] Re: blasterattacko at aol.com?
Kevin Martin
evolt at brasscannon.net
Mon Mar 22 08:26:47 CST 2004
Quoth John.Brooking at sappi.com,
> I just received an email sent from my contact form at [1] which consisted of
> the following:
> >From: blasterattacko at aol.com, "To:blasterattacko"@aol.com,
> > "From:blasterattacko"@aol.com
etc.
> [...] Not that too I'm worried about this specific
> attack, but I'm just wondering if it's an indication of some kind of
> security hole in my contact form script. Or, more optimistically, an
> indication that there was some attack which didn't work?
The latter, most likely. The guy is looking for a cgiemail binary
specifically (or possibly a formmail.cgi) that doesn't completely
strip ALL header fields. This was published as a vulnerability of
cgiemail, but when cgiemail is configured right the exploit fails.
Details at http://handsonhowto.com/cgi103.html
(I let ONE of these through a few months back, then closed it up,
and the little idiot kept hammering it for weeks afterward. He
was targetting AOL exclusively, and my contact at AOL Security
indicated they'd squash him like a bug. I haven't seen any signs
of that...yet.)
More information about the thelist
mailing list