Bugtraq mailing list archives
Re: CORRECTION to CODE: FormMail.pl can be used to send anonymous email
From: Joel Sing <jsing () ORIGIN NET AU>
Date: Mon, 12 Mar 2001 15:05:59 +1100
Hi,
I did a little playing with FormMail.pl after a run in with a spammer abusing our webserver. Apparently ALL FormMail.pl cgi-bin scripts can be used to spam anonymously. I found another server with FormMail.pl and tried the same exploit to send myself an email and it worked.
This appears to be correct. The current version has a configurable list of referers that is supposed to prevent the script from being utilized from unauthorized hosts. However there is an interesting assumption made in the code: if ($ENV{'HTTP_REFERER'}) { foreach $referer (@referers) { if ($ENV{'HTTP_REFERER'} =~ m|https?://([^/]*)$referer|i) { $check_referer = 1; last; } } } else { $check_referer = 1; } If the referer doesn't exist the script assumes everything is okay, presumably to allow older browsers or those that have referer turned off, to access the script. This also means that a browser pointed directly to the script can make use of it as there is no referer in this case. Bit of a problem to fix... Since most browsers return the referer string it would probably be safer to remove this assumption from the code and simply inform the user of the problem if no referer is provided. In any case it wouldn't be difficult to send a fake referer as it's only a HTTP request header and the server is only believing what the client is telling it. Write a simple Perl script that sends a manipulated GET request with a fake referer header and you have yourself a nice spam mailer... :( Cheers, Joel ------------------------------------------------------------------------- => Joel Sing | jsing () origin net au | 0419 577 603 <= ------------------------------------------------------------------------- DOS and Windows, a turtle and it's shell
Current thread:
- CORRECTION to CODE: FormMail.pl can be used to send anonymous email Michael Rawls (Mar 11)
- Re: CORRECTION to CODE: FormMail.pl can be used to send anonymous email Palmans Pepijn (Mar 12)
- Re: CORRECTION to CODE: FormMail.pl can be used to send anonymous email Joel Sing (Mar 12)
- Re: CORRECTION to CODE: FormMail.pl can be used to send anonymous email Steffen Dettmer (Mar 12)
- Re: CORRECTION to CODE: FormMail.pl can be used to send anonymous email Steve Reid (Mar 13)
- Re: CORRECTION to CODE: FormMail.pl can be used to send anonymousemail Scott Buchanan (Mar 12)
- Message not available
- Re: CORRECTION to CODE: FormMail.pl can be used to send anonymousemail Scott Buchanan (Mar 13)
- Message not available
- Re: CORRECTION to CODE: FormMail.pl can be used to send anonymous email Steve Reid (Mar 12)