Security Incidents mailing list archives
Re: <victim>server formmail.pl exploit in the wild
From: Andrew Daviel <andrew () andrew triumf ca>
Date: Mon, 15 Apr 2002 13:02:47 -0700 (PDT)
On Sun, 14 Apr 2002, Kee Hinckley wrote:
Or, more simply, your users could be told to set a particular hidden form value and the script set to require it. Clearly an abuser would be able to read the HTML and set the value, but it would block the vastI fail to see how either of these would do anymore than give you a false sense of security. You use these techniques. A bunch of people install them, and then a month later spammers are using a formmail exploit that takes them into account by fetching the webbug, getting the cookie, and submitting the form. (Or reading the script for the hidden value, and then using it.) Sure, it takes a few more seconds for the exploit to run, but that hardly matters.
True, security through obscurity is not real security. But we're not trying to block a determined person from sending one piece of mail, we're trying to make it not worthwhile for automated abuse. Currently, many formmail scripts are found by scanning for them, just by requesting /cgi-bin/formmail.pl. As another correspondent pointed out, renaming the thing to cgi-bin/formmailtoo.pl would thwart this. While the script is known, and in a known place, the form is not, and can have arbitrary structure, and be in an arbitrary place. To find these in an automated fashion would require a search engine able to search on HTML elements (rather than visible text). Then the hidden field would have to be found (different for each site). This is somewhat more complex than just trolling for cgi-bin and would I think deter most spammers. If the script is equipped with a throttle, then excessive mail from one remote address (OK, problems with AOL proxy maybe) or to one recipient may be blocked. But what I have seen appears to be an attempt to use multiple clients to send the same message, which may sidestep a throttle somewhat. I presume that real users of this script (as opposed to those who can easily hardwire the recipient address because it only goes to one person) are running a system where users are trusted to write their own HTML, but not to write arbitrary CGI. So the administrators of the web pages, who know what recipients are valid, are not able to change the script. The only other solution I can think of at the moment, would be to give the HTML authors a private directory that they can write to - either outside the Web directory, or password-protected. The form script could then read the recipient list from a file (directly, or over the net with a suitable client). It would have to figure out the filename from the referer, or from a hidden field. Of course, some web browsers are able to send a form via mail directly, but others won't or just pop a normal mail client. At least, that was true a few years ago. -- Andrew Daviel, TRIUMF, Canada Tel. +1 (604) 222-7376 security () triumf ca ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- <victim>server formmail.pl exploit in the wild Andrew Daviel (Apr 12)
- Re: <victim>server formmail.pl exploit in the wild Noel Rosenberg (Apr 12)
- Re: <victim>server formmail.pl exploit in the wild Christopher X. Candreva (Apr 12)
- <Possible follow-ups>
- Re: <victim>server formmail.pl exploit in the wild Justin Shore (Apr 12)
- Re: <victim>server formmail.pl exploit in the wild mike maxwell (Apr 12)
- RE: <victim>server formmail.pl exploit in the wild Robert Zilbauer (Apr 12)
- RE: <victim>server formmail.pl exploit in the wild Benjamin Tomhave (Apr 14)
- Re: <victim>server formmail.pl exploit in the wild Andrew Daviel (Apr 14)
- Re: <victim>server formmail.pl exploit in the wild Kee Hinckley (Apr 15)
- Re: <victim>server formmail.pl exploit in the wild Andrew Daviel (Apr 15)
- Re: <victim>server formmail.pl exploit in the wild Kee Hinckley (Apr 15)
- Re: <victim>server formmail.pl exploit in the wild Kee Hinckley (Apr 15)
- Re: <victim>server formmail.pl exploit in the wild Noel Rosenberg (Apr 12)