[thelist] Email header injection
Kasimir K
evolt at kasimir-k.fi
Fri Nov 11 08:26:09 CST 2005
Nick Wilsdon scribeva in 2005-11-11 13:10:
> If they can turn the form
> into HTML they have an opportunity to use HEX characters, which you aren't
> stripping out there.
But aren't both \n and %0A just different ways of presenting 00001010?
And injections seems to have been succesfull only a couple times (probes
only fortunately). Another curious thing is, that as this exploit script
seems to be using as form input the domain name in questions, I've put a
test to catch those, and send myself a message with request headers and
body. But a couple times this seems to have failed too.
Here's a sample of request bodies:
[message] => over3449 at kasimir-k.fi
[email] => at
Content-Type: text/plain; charset=\"us-ascii\"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: ow, suppose illigan s father whin he
bcc: onemoreaddress at hotpop.com
9048a0399b07ab486baafd4a0334ef1f
.
[send] => over3449 at kasimir-k.fi
[name] => over3449 at kasimir-k.fi
The script is normally executed as many times as there are fields in the
form. It tries the header input for each field in turn, and rest it
populates with the fake address.
So now I added a check for 'send' field - it is the submit button, so
it's value should never be anything else than what it is set to. So if
the value of 'send' is not 'send', then it is an exploit attempt. Let's
see if this is enough.
.k
More information about the thelist
mailing list