Security Incidents mailing list archives
Re: <victim>server formmail.pl exploit in the wild
From: Andrew Daviel <andrew () andrew triumf ca>
Date: Fri, 12 Apr 2002 16:02:31 -0700 (PDT)
On Fri, 12 Apr 2002, Chris Murley wrote:
So, we wrote a wrapper that checks to see hom many emails the cgi is tring to send to, if it's more than 4, we stop the email from going out.
The attempts I saw in the last week were coming from all over; many unresolved (probably Far East) addresses. One guy on Earthlink was very persistant. I saw some attempts trying to send to 30 recipients, but most were going to one or sometimes two. The AOL fraud attempts were sending the same message from a variety of different addresses. While an enumerated list of recipients can be used, that adds a maintenance problem in adding new users. One idea that occurred to me was to set a cookie in a CGI-generated no-cache web bug (or small icon) that the user would include with their form. The mail script would check for the correct cookie. It could be a one-time unique cookie, or a random string, perhaps hashed from the server address. Anything could be defeated on a one-time basis, but it would take a bit of effort. Or, more simply, your users could be told to set a particular hidden form value and the script set to require it. Clearly an abuser would be able to read the HTML and set the value, but it would block the vast majority of automated abuse ( send to http://some.org/cgi-bin/formmail.pl with recipient=dropbox and subject=http://some.org/cgi-bin/formmail.pl, then just build a list from the incoming mail) -- Andrew Daviel, TRIUMF, Canada Tel. +1 (604) 222-7376 security () triumf ca ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- <victim>server formmail.pl exploit in the wild Andrew Daviel (Apr 12)
- Re: <victim>server formmail.pl exploit in the wild Noel Rosenberg (Apr 12)
- Re: <victim>server formmail.pl exploit in the wild Christopher X. Candreva (Apr 12)
- <Possible follow-ups>
- Re: <victim>server formmail.pl exploit in the wild Justin Shore (Apr 12)
- Re: <victim>server formmail.pl exploit in the wild mike maxwell (Apr 12)
- RE: <victim>server formmail.pl exploit in the wild Robert Zilbauer (Apr 12)
- RE: <victim>server formmail.pl exploit in the wild Benjamin Tomhave (Apr 14)
- Re: <victim>server formmail.pl exploit in the wild Andrew Daviel (Apr 14)
- Re: <victim>server formmail.pl exploit in the wild Kee Hinckley (Apr 15)
- Re: <victim>server formmail.pl exploit in the wild Andrew Daviel (Apr 15)
- Re: <victim>server formmail.pl exploit in the wild Kee Hinckley (Apr 15)
- Re: <victim>server formmail.pl exploit in the wild Kee Hinckley (Apr 15)
- Re: <victim>server formmail.pl exploit in the wild Noel Rosenberg (Apr 12)