Re: <victim>server formmail.pl exploit in the wild

[Kee Hinckley <nazgul () somewhere com>]

At 4:02 PM -0700 4/12/02, Andrew Daviel wrote:
> One idea that occurred to me was to set a cookie in a CGI-generated
> no-cache web bug (or small icon) that the user would include with 
> their form. The mail
> script would check for the correct cookie. It could be a one-time unique

...

> Or, more simply, your users could be told to set a particular hidden
> form value and the script set to require it. Clearly an abuser would be
> able to read the HTML and set the value, but it would block the vast

I fail to see how either of these would do anymore than give you a 
false sense of security.  You use these techniques.  A bunch of 
people install them, and then a month later spammers are using a 
formmail exploit that takes them into account by fetching the webbug, 
getting the cookie, and submitting the form.  (Or reading the script 
for the hidden value, and then using it.)  Sure, it takes a few more 
seconds for the exploit to run, but that hardly matters.

> While an enumerated list of recipients can be used, that adds a
> maintenance problem in adding new users.

In any good web solution, writing the administration tools always 
takes longer than writing the end-user code.  Spammers make 
administration harder.  It's a fact of life, and it isn't going to go 
away.
--

Kee Hinckley - Somewhere.Com, LLC
http://consulting.somewhere.com/
nazgul () somewhere com

I'm not sure which upsets me more: that people are so unwilling to accept
responsibility for their own actions, or that they are so eager to regulate
everyone else's.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com