Problem about detecting "SMTP command injection", i.e. cr lf chars in web forms

["Maxime Ducharme" <mducharme () cybergeneration com>]

Hello guys,
        I am looking for a solution to detect attacks
to web forms which allows to send an email.

Example :
contactus.asp which contains these fields :

- From Name
- From email
- Subject
- text

We noticed that some programs used to send email does
not properly filter the 3 first fields for carriage-return and
line-feed chars, which allows someone to add SMTP commands
in these fileds and constuct a valid SMTP session which
this person can control.

We are currently working at filtering these fileds in the applications
code, but we host many sites we do not manage.

I am looking for a way to detect these attacks with snort, is
someone aware of a rule for this kind of attack, or may help me wrtiing one
?

Any other idea/suggestion is also welcome

Thanks in advance

Have a nice day
 
Maxime Ducharme



-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire was recently named the worldwide market leader in Web 
application security assessment tools by both Gartner and IDC. 
Download a free trial of AppScan today and see why more customers choose 
AppScan then any other solution. Try it today!
  
https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008VnB
--------------------------------------------------------------------------