[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030715025440.GX10770@netsys.com>
From: len at netsys.com (Len Rose)
Subject: [anonymous: RE: Insecurity of Web-based Feedback Forms]
----- Forwarded message from "Anonymous" -----
Subject: RE: Insecurity of Web-based Feedback Forms
To: <len@...sys.com>
Hi Len
Could you forward this anonymously to the FD list please? It's a very
very widespread problem and I don't want
my 'friends' to know who let the cat out of the bag ;)
(please! No names, addresses, initials, or tell-tale headers! Thanks!)
Cheers
[snip]
-----Original Message-----
From: Anonymous
Sent: Tuesday, July 15, 2003 10:01 AM
To: 'auscert@...cert.org.au'
Subject: RE: (AUSCERT AA-2003.02) AUSCERT Advisory - Insecurity of Web-based Feedback Forms
Hi
There are numerous 'Tellafriend' scripts available, and almost all of
them allow the user to specify both a sender and recipient email
address. Most of them even allow the user to specify the body of the
message. They can be used to send unsolicted bulk email with forged FROM
addresses.
Almost every major site has some kind of 'tell a friend about this site'
facility. And almost every one of these facilities is vulnerable to spam
relay (either directly or via header injection with newline characters,
ala formmail.)
Examples:
http://www.ecomp.com.au/tellafriend.asp
http://www.sunshinetoyota.com.au/camry/tellafriend.asp
http://www.thecomputeroutlet.com.au/TellaFriend.asp
http://www.ski.com.au/arlberg/tellafriend.html
http://www.adrenalin.com.au/tellafriend.html
http://breezefm.com.au/tellafriend.html
http://www.givenow.org/tellafriend.asp
http://rollingstones.com/tellafriend.php
http://www.bingosites.net/main/tellafriend.asp
http://www.heartinfo.org/search/tellafriend.asp
http://www.tax.net/tellfriend.php
http://www.preventspam.net/tellafriend.htm <- hahahah :)
http://security.ittoolbox.com/recommend/tellafriend.asp
http://www.atsic.gov.au/events/previous_events/Sports_Awards/sports2001/
send.asp?subtTellFriend=Tellafriend
All of these vulnerable sites were found in 5 minutes using Google
search for "allinurl: tellafriend".
Tellafriend.asp gets 35,800 hits on google. Tellfriend.asp gets 15,200.
Tellafriend.html gets 8,270.
As you can see this is a very widespread problem - its not just formmail
that is vulnerable to spam relay!
Regards,
anon.
-----Original Message-----
From: auscert@...cert.org.au [mailto:auscert@...cert.org.au]
Sent: Monday, July 14, 2003 5:20 PM
To: auscert-subscriber@...cert.org.au
Subject: (AUSCERT AA-2003.02) AUSCERT Advisory - Insecurity of Web-based
Feedback Forms
-----BEGIN PGP SIGNED MESSAGE-----
========================================================================
===
AA-2003.02 AUSCERT Advisory
Insecurity of Web-based Feedback Forms
14 July 2003
Last Revised: --
-
------------------------------------------------------------------------
---
AusCERT has received information regarding potential vulnerabilities in
the implementation of some Web-based feedback forms.
This vulnerability may allow remote users to misuse these forms to send
Unsolicited Bulk Email (UBE).
This advisory will be updated as more information becomes available.
-
------------------------------------------------------------------------
---
1. Description
In order to obtain written feedback from their clients, many
organisations implement web-based feedback forms. A common method
for
doing this is to use the FORM HTML element and the POST method
option.
These forms often use email to send the results, with the
destination
email address configured using a hidden INPUT field. The CGI code
which
performs this function may be written "in house" or adapted from
external sources (FormMail is a popular example).
The following code snippet shows an example of the HTML tag used
(within the FORM tag) which may leave a web server open to abuse:
<FORM action="result-script" method="post">
...
<INPUT type=hidden name="recipient" value="feedback@...il.address.com">
...
</FORM>
2. Impact
Without adequate server-side validation, it is possible for remote
clients to make a form submission with an arbitrary destination
email
address. By allowing this, organisations inadvertently allow their
servers to be used for sending UBE, via feedback forms. AusCERT has
observed the exploitation of this weakness across the Internet.
3. Workarounds/Mitigation
Organisations who use feedback forms on their web sites should
review
their code and test the form submission to ensure proper server-side
validation. Server-side CGI scripts should validate the domain of
this email address or alternatively, hard-code the email address.
If the feedback form is developed externally, then the vendor web
site
should be consulted for any updates or security information.
Users of the popular FormMail CGI should upgrade to Version 1.91 or
higher and make use of the "@recipients" array which allow
specification of acceptable recipient email addresses or domains.
There exists a related vulnerability in Allaire Forums which allows
malicious users to impersonate other users using unverified hidden
fields. See REFERENCES for more information.
REFERENCES:
http://www.stickysauce.com/tutorials/misc/spamproof.htm
http://www.kb.cert.org/vuls/id/575619
http://www.scriptarchive.com/formmail.html
http://willmaster.com/master/feedback/
-
------------------------------------------------------------------------
---
AusCERT would like to acknowledge the assistance of Michael O'Brien,
Senior Security Consultant of LogicaCMG in producing this Advisory.
-
------------------------------------------------------------------------
---
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the
information described is the responsibility of each user or
organisation. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user
or organisation, and should be considered in accordance with your
organisation\'s site policies and procedures. AusCERT takes no
responsibility for consequences which may arise from following or acting
on information or advice contained in this security bulletin.
If you believe that your computer system has been compromised or
attacked in
any way, we encourage you to let us know by completing the secure
National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
AusCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au.
Internet Email: auscert@...cert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call after hours
for member emergencies only.
Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
AUSTRALIA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBPxJY9yh9+71yA2DNAQE69AP/SNnhsgn00Y0fRw1fsnCJgeaVvrAHrvgw
Fho7HVqnVkti6QwZ8Lnd7K5fjkinrfgBNhRqIbJ175TTD8iYGV40eSBGFENFbojT
+TvqGOXu2FTrdSidrd3XCxx21UmAjKb+W5j1c+FyfThysAskrInkfdFG95YxCuk2
dB/k56jwO2s=
=s7Ud
-----END PGP SIGNATURE-----
Notice:
The information contained in this e-mail message and any attached files may
be confidential information, and may also be the subject of legal
professional privilege. If you are not the intended recipient any use,
disclosure or copying of this e-mail is unauthorised. If you have received
this e-mail in error, please notify the sender immediately by reply e-mail
and delete all copies of this transmission together with any attachments.
----- End forwarded message -----
Powered by blists - more mailing lists