Re: <victim>server formmail.pl exploit in the wild

[Andrew Daviel <andrew () andrew triumf ca>]

On Sun, 14 Apr 2002, Kee Hinckley wrote:

> > Or, more simply, your users could be told to set a particular hidden
> > form value and the script set to require it. Clearly an abuser would be
> > able to read the HTML and set the value, but it would block the vast
>
> I fail to see how either of these would do anymore than give you a 
> false sense of security.  You use these techniques.  A bunch of 
> people install them, and then a month later spammers are using a 
> formmail exploit that takes them into account by fetching the webbug, 
> getting the cookie, and submitting the form.  (Or reading the script 
> for the hidden value, and then using it.)  Sure, it takes a few more 
> seconds for the exploit to run, but that hardly matters.

True, security through obscurity is not real security. But we're not
trying to block a determined person from sending one piece of mail, we're 
trying to make it not worthwhile for automated abuse. Currently, many 
formmail scripts are found by scanning for them, just by requesting 
/cgi-bin/formmail.pl. As another correspondent pointed out, renaming 
the thing to cgi-bin/formmailtoo.pl would thwart this.
While the script is known, and in a known place, the form is not, and
can have arbitrary structure, and be in an arbitrary place. To find these
in an automated fashion would require a search engine able to search
on HTML elements (rather than visible text). Then the hidden field
would have to be found (different for each site). This is somewhat
more complex than just trolling  for cgi-bin and would I think
deter most spammers.

If the script is equipped with a throttle, then excessive mail from one
remote address (OK, problems with AOL proxy maybe) or to one recipient may 
be blocked. But what I have seen appears to be an attempt to use multiple
clients to send the same message, which may sidestep a throttle somewhat.

I presume that real users of this script (as opposed to those who 
can easily hardwire the recipient address because it only goes to one
person) are running a system where users are trusted to write
their own HTML, but not to write arbitrary CGI. So the administrators of 
the web pages, who know what recipients are valid, are not able to
change the script.
The only other solution I can think of at the moment, would be to
give the HTML authors a private directory that they can write to - either 
outside the Web directory, or password-protected.
The form script could then read the recipient list from a file 
(directly, or over the net with a suitable client). 
It would have to figure out the 
filename from the referer, or from a hidden field.

Of course, some web browsers are able to send a form via mail directly,
but others won't or just pop a normal mail client. At least, that was true
a few years ago.

-- 
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376
security () triumf ca


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com