| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon Sep 12 10:33:13 2005
From: kju-fd at fqdn.org (Michael Holzt)
Subject: Automated mass abuse of form mailers
Automated mass abuse of form mailers
2005/09/12, Michael Holzt, kju -at- fqdn.org
1. Summary
Lately webpage mail forms has become a target of spammers. The attacks
seems to be automated and try to exploit the use of untrusted input data
in a lot of these form mailers. The attacks inserts newlines into data
fields which are used unchecked in header lines of the mail generated.
These newlines allow the attacker to add own header lines and message
content.
2. Attack vector
Example of a vulnerable script (shortened) in PHP:
| $header = "From: " . $_POST["email"];
| mail("normal.target@...main", "subject",
| "This is the original content", $header);
This script can be exploited by using e.g. the following value in the
'email' field of the http post request (line break inserted only for
display purposes):
| fake.address@...main\nCc:victim@...main\n
| Subject: Buy Viagra now!\n\nText
As this content is inserted unchecked into the header, this will result
in a mail generated which looks like this:
| From: fake.address@...main
| Cc: victim@...main
| Subject: Buy Viagra now!
|
| Text
| Subject: subject
|
| This is the original content
The victim has managed to add his own Cc line (which will be the spam
target), a own subject and a own body. The original subject (and other
header lines) as well as the original content have been moved into
the body of the mail. Examples of real abuse witnessed have shown that
the attackers even try to create multipart messages to hide the original
content generated by the form mailer.
Also these attacks seems to be automated. For a test i renamed the name
of the form mailer skript. However the attacks continued without major
delay. In the log files of the web server i could see the abusers to
first fetch the html page containing the mail form. This page seems to
be parsed automatically, and the names of the form fields and the script
extracted. Between the fetch of the html page and the first abuse attempt
on the renamed script only 4 seconds elapsed.
The abusers also try to track sucessfull attempts. In a number of cases
a bcc to an aol email address (jrubin3546@....com) was inserted into
the message as well. Other internet users reported such abuse as well.
Google shows nearly 72.000 hits when searching for this mail address.
3. Recommendations
Never use untrusted input data without proper filtering. If special
characters like newlines are filtered from the input data, this type
of attack would no longer work.
The automated exploitation attempts will however likely not be affected
by this. If your form mailer does not have any type of sanity check on
the input data (might even not be possible depending on type of usage),
this will lead to lots of email generated to the "normal" recipient of
the form mails.
It is therefore advised to check the relevant data fields for newlines
inserted and deny sending the mail if any are found. For example the
vulnerable script shown above could be added by a check like this:
| if ( eregi("\n",$_POST["email"]) || eregi("\r",$_POST["email"]) )
| {
| header("HTTP/1.0 403 Forbidden");
| die("Spam attempt denied");
| }
Powered by blists - more mailing lists