Full Disclosure mailing list archives
[anonymous: RE: Insecurity of Web-based Feedback Forms]
From: Len Rose <len () netsys com>
Date: Mon, 14 Jul 2003 22:54:40 -0400
----- Forwarded message from "Anonymous" ----- Subject: RE: Insecurity of Web-based Feedback Forms To: <len () netsys com> Hi Len Could you forward this anonymously to the FD list please? It's a very very widespread problem and I don't want my 'friends' to know who let the cat out of the bag ;) (please! No names, addresses, initials, or tell-tale headers! Thanks!) Cheers [snip] -----Original Message----- From: Anonymous Sent: Tuesday, July 15, 2003 10:01 AM To: 'auscert () auscert org au' Subject: RE: (AUSCERT AA-2003.02) AUSCERT Advisory - Insecurity of Web-based Feedback Forms Hi There are numerous 'Tellafriend' scripts available, and almost all of them allow the user to specify both a sender and recipient email address. Most of them even allow the user to specify the body of the message. They can be used to send unsolicted bulk email with forged FROM addresses. Almost every major site has some kind of 'tell a friend about this site' facility. And almost every one of these facilities is vulnerable to spam relay (either directly or via header injection with newline characters, ala formmail.) Examples: http://www.ecomp.com.au/tellafriend.asp http://www.sunshinetoyota.com.au/camry/tellafriend.asp http://www.thecomputeroutlet.com.au/TellaFriend.asp http://www.ski.com.au/arlberg/tellafriend.html http://www.adrenalin.com.au/tellafriend.html http://breezefm.com.au/tellafriend.html http://www.givenow.org/tellafriend.asp http://rollingstones.com/tellafriend.php http://www.bingosites.net/main/tellafriend.asp http://www.heartinfo.org/search/tellafriend.asp http://www.tax.net/tellfriend.php http://www.preventspam.net/tellafriend.htm <- hahahah :) http://security.ittoolbox.com/recommend/tellafriend.asp http://www.atsic.gov.au/events/previous_events/Sports_Awards/sports2001/ send.asp?subtTellFriend=Tellafriend All of these vulnerable sites were found in 5 minutes using Google search for "allinurl: tellafriend". Tellafriend.asp gets 35,800 hits on google. Tellfriend.asp gets 15,200. Tellafriend.html gets 8,270. As you can see this is a very widespread problem - its not just formmail that is vulnerable to spam relay! Regards, anon. -----Original Message----- From: auscert () auscert org au [mailto:auscert () auscert org au] Sent: Monday, July 14, 2003 5:20 PM To: auscert-subscriber () auscert org au Subject: (AUSCERT AA-2003.02) AUSCERT Advisory - Insecurity of Web-based Feedback Forms -----BEGIN PGP SIGNED MESSAGE----- ======================================================================== === AA-2003.02 AUSCERT Advisory Insecurity of Web-based Feedback Forms 14 July 2003 Last Revised: -- - ------------------------------------------------------------------------ --- AusCERT has received information regarding potential vulnerabilities in the implementation of some Web-based feedback forms. This vulnerability may allow remote users to misuse these forms to send Unsolicited Bulk Email (UBE). This advisory will be updated as more information becomes available. - ------------------------------------------------------------------------ --- 1. Description In order to obtain written feedback from their clients, many organisations implement web-based feedback forms. A common method for doing this is to use the FORM HTML element and the POST method option. These forms often use email to send the results, with the destination email address configured using a hidden INPUT field. The CGI code which performs this function may be written "in house" or adapted from external sources (FormMail is a popular example). The following code snippet shows an example of the HTML tag used (within the FORM tag) which may leave a web server open to abuse: <FORM action="result-script" method="post"> ... <INPUT type=hidden name="recipient" value="feedback () email address com"> ... </FORM> 2. Impact Without adequate server-side validation, it is possible for remote clients to make a form submission with an arbitrary destination email address. By allowing this, organisations inadvertently allow their servers to be used for sending UBE, via feedback forms. AusCERT has observed the exploitation of this weakness across the Internet. 3. Workarounds/Mitigation Organisations who use feedback forms on their web sites should review their code and test the form submission to ensure proper server-side validation. Server-side CGI scripts should validate the domain of this email address or alternatively, hard-code the email address. If the feedback form is developed externally, then the vendor web site should be consulted for any updates or security information. Users of the popular FormMail CGI should upgrade to Version 1.91 or higher and make use of the "@recipients" array which allow specification of acceptable recipient email addresses or domains. There exists a related vulnerability in Allaire Forums which allows malicious users to impersonate other users using unverified hidden fields. See REFERENCES for more information. REFERENCES: http://www.stickysauce.com/tutorials/misc/spamproof.htm http://www.kb.cert.org/vuls/id/575619 http://www.scriptarchive.com/formmail.html http://willmaster.com/master/feedback/ - ------------------------------------------------------------------------ --- AusCERT would like to acknowledge the assistance of Michael O'Brien, Senior Security Consultant of LogicaCMG in producing this Advisory. - ------------------------------------------------------------------------ --- AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation\'s site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 AusCERT also maintains a World Wide Web service which is found on: http://www.auscert.org.au. Internet Email: auscert () auscert org au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. Postal: Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 AUSTRALIA ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Revision History ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBPxJY9yh9+71yA2DNAQE69AP/SNnhsgn00Y0fRw1fsnCJgeaVvrAHrvgw Fho7HVqnVkti6QwZ8Lnd7K5fjkinrfgBNhRqIbJ175TTD8iYGV40eSBGFENFbojT +TvqGOXu2FTrdSidrd3XCxx21UmAjKb+W5j1c+FyfThysAskrInkfdFG95YxCuk2 dB/k56jwO2s= =s7Ud -----END PGP SIGNATURE----- Notice: The information contained in this e-mail message and any attached files may be confidential information, and may also be the subject of legal professional privilege. If you are not the intended recipient any use, disclosure or copying of this e-mail is unauthorised. If you have received this e-mail in error, please notify the sender immediately by reply e-mail and delete all copies of this transmission together with any attachments. ----- End forwarded message ----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- [anonymous: RE: Insecurity of Web-based Feedback Forms] Len Rose (Jul 14)