Security Incidents mailing list archives
Re: <victim>server formmail.pl exploit in the wild
From: Kee Hinckley <nazgul () somewhere com>
Date: Sun, 14 Apr 2002 18:20:36 -0400
At 4:02 PM -0700 4/12/02, Andrew Daviel wrote:
One idea that occurred to me was to set a cookie in a CGI-generatedno-cache web bug (or small icon) that the user would include with their form. The mailscript would check for the correct cookie. It could be a one-time unique
...
Or, more simply, your users could be told to set a particular hidden form value and the script set to require it. Clearly an abuser would be able to read the HTML and set the value, but it would block the vast
I fail to see how either of these would do anymore than give you a false sense of security. You use these techniques. A bunch of people install them, and then a month later spammers are using a formmail exploit that takes them into account by fetching the webbug, getting the cookie, and submitting the form. (Or reading the script for the hidden value, and then using it.) Sure, it takes a few more seconds for the exploit to run, but that hardly matters.
While an enumerated list of recipients can be used, that adds a maintenance problem in adding new users.
In any good web solution, writing the administration tools always takes longer than writing the end-user code. Spammers make administration harder. It's a fact of life, and it isn't going to go away.
-- Kee Hinckley - Somewhere.Com, LLC http://consulting.somewhere.com/ nazgul () somewhere com I'm not sure which upsets me more: that people are so unwilling to accept responsibility for their own actions, or that they are so eager to regulate everyone else's. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service.For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- <victim>server formmail.pl exploit in the wild Andrew Daviel (Apr 12)
- Re: <victim>server formmail.pl exploit in the wild Noel Rosenberg (Apr 12)
- Re: <victim>server formmail.pl exploit in the wild Christopher X. Candreva (Apr 12)
- <Possible follow-ups>
- Re: <victim>server formmail.pl exploit in the wild Justin Shore (Apr 12)
- Re: <victim>server formmail.pl exploit in the wild mike maxwell (Apr 12)
- RE: <victim>server formmail.pl exploit in the wild Robert Zilbauer (Apr 12)
- RE: <victim>server formmail.pl exploit in the wild Benjamin Tomhave (Apr 14)
- Re: <victim>server formmail.pl exploit in the wild Andrew Daviel (Apr 14)
- Re: <victim>server formmail.pl exploit in the wild Kee Hinckley (Apr 15)
- Re: <victim>server formmail.pl exploit in the wild Andrew Daviel (Apr 15)
- Re: <victim>server formmail.pl exploit in the wild Kee Hinckley (Apr 15)
- Re: <victim>server formmail.pl exploit in the wild Kee Hinckley (Apr 15)
- Re: <victim>server formmail.pl exploit in the wild Noel Rosenberg (Apr 12)