[thelist] Re: blasterattacko at aol.com?

Tue Mar 23 12:12:52 CST 2004

Quoth Kevin Martin
>Quoth John.Brooking
>> I just received an email sent from my contact form at [1] which consisted
of
>> the following:
>>    >From: blasterattacko at aol.comTo:blasterattacko"@aol.com,
>>    > "From:blasterattacko"@aol.com
>
>etc.
>
>> [...] Not that too I'm worried about this specific
>> attack, but I'm just wondering if it's an indication of some kind of
>> security hole in my contact form script. Or, more optimistically, an
>> indication that there was some attack which didn't work?
>
>The latter, most likely.  The guy is looking for a cgiemail binary
>specifically (or possibly a formmail.cgi) that doesn't completely
>strip ALL header fields.  This was published as a vulnerability of
>cgiemail, but when cgiemail is configured right the exploit fails.
>
>Details at http://handsonhowto.com/cgi103.html

Thanks for that URL, Kevin! I read it and realized that my script also
passed along unfiltered header fields, as I had not heard of that particular
exploit. Although it looks like this attempt didn't work (and I have not
seen any more attempts), I still have gone back and modified my script to
filter those fields, allowing only alphanumerics, a space, and most but not
all punctuation. Notably, no CR/LF's or other control characters, no pipes,
and no redirections (< and >).

Just to confirm: It doesn't matter what characters are in the *body*? (I
send the message as mime type "text/plain"; I realize HTML would introduce
more potential problems.) Also, I'm using the Perl module MIME::Lite [1] to
send the mail, rather than just calling sendmail directly, but I'm assuming
the same caveats still apply.

If you're wondering why I don't just use cgiemail, my script has additional
functionality that I like. It is specifically written as a mailto: tag
replacement. It accepts a "to" field which is not an email address, but
actually a key to an address book on the server (defined either in-line or
in an external text file), so the target email addresses never appear on the
client. You can set up your form to allow users to choose from a group of
people to send the message to, without revealing their addresses. It can
also function like formmail or cgiemail, passing along the values of any
other form fields it finds (in the message body).

If anyone is using my script [2], which I first posted earlier this month,
please download and install the new version immediately! (Recommended method
for this is to make a copy of your "customization" section, then overwrite
the complete script and paste your customization section back into the new
version.)

Thanks again, Kevin!

- John

[1] MIME::Lite Perl module: http://www.zeegee.com/code/perl/MIME-Lite/
<http://www.zeegee.com/code/perl/MIME-Lite/> 
[2] My script: http://www.pobox.com/~JohnBrook/codelib/
<http://www.pobox.com/~JohnBrook/codelib/> 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

This message may contain information which is private, privileged or
confidential and is intended solely for the use of the individual or entity
named in the message. If you are not the intended recipient of this message,
please notify the sender thereof and destroy / delete the message. Neither
the sender nor Sappi Limited (including its subsidiaries and associated
companies) shall incur any liability resulting directly or indirectly from
accessing any of the attached files which may contain a virus or the like. 