lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030715025440.GX10770@netsys.com>
From: len at netsys.com (Len Rose)
Subject: [anonymous: RE: Insecurity of Web-based Feedback Forms]

----- Forwarded message from "Anonymous"  -----

Subject: RE: Insecurity of Web-based Feedback Forms
To: <len@...sys.com>


Hi Len

Could you forward this anonymously to the FD list please? It's a very
very widespread problem and I don't want
my 'friends' to know who let the cat out of the bag ;)

(please! No names, addresses, initials, or tell-tale headers! Thanks!)

Cheers

[snip]

-----Original Message-----
From: Anonymous
Sent: Tuesday, July 15, 2003 10:01 AM
To: 'auscert@...cert.org.au'
Subject: RE: (AUSCERT AA-2003.02) AUSCERT Advisory - Insecurity of Web-based Feedback Forms


Hi

There are numerous 'Tellafriend' scripts available, and almost all of
them allow the user to specify both a sender and recipient email
address. Most of them even allow the user to specify the body of the
message. They can be used to send unsolicted bulk email with forged FROM
addresses. 

Almost every major site has some kind of 'tell a friend about this site'
facility. And almost every one of these facilities is vulnerable to spam
relay (either directly or via header injection with newline characters,
ala formmail.)

Examples:

http://www.ecomp.com.au/tellafriend.asp
http://www.sunshinetoyota.com.au/camry/tellafriend.asp
http://www.thecomputeroutlet.com.au/TellaFriend.asp
http://www.ski.com.au/arlberg/tellafriend.html
http://www.adrenalin.com.au/tellafriend.html
http://breezefm.com.au/tellafriend.html
http://www.givenow.org/tellafriend.asp
http://rollingstones.com/tellafriend.php
http://www.bingosites.net/main/tellafriend.asp
http://www.heartinfo.org/search/tellafriend.asp
http://www.tax.net/tellfriend.php
http://www.preventspam.net/tellafriend.htm   <- hahahah :)
http://security.ittoolbox.com/recommend/tellafriend.asp
http://www.atsic.gov.au/events/previous_events/Sports_Awards/sports2001/
send.asp?subtTellFriend=Tellafriend


All of these vulnerable sites were found in 5 minutes using Google
search for "allinurl: tellafriend".

Tellafriend.asp gets 35,800 hits on google. Tellfriend.asp gets 15,200.
Tellafriend.html gets 8,270.

As you can see this is a very widespread problem - its not just formmail
that is vulnerable to spam relay!

Regards,
anon.


-----Original Message-----
From: auscert@...cert.org.au [mailto:auscert@...cert.org.au] 
Sent: Monday, July 14, 2003 5:20 PM
To: auscert-subscriber@...cert.org.au
Subject: (AUSCERT AA-2003.02) AUSCERT Advisory - Insecurity of Web-based
Feedback Forms


-----BEGIN PGP SIGNED MESSAGE-----

========================================================================
===
AA-2003.02                     AUSCERT Advisory

                  Insecurity of Web-based Feedback Forms
                               14 July 2003
Last Revised: --

-
------------------------------------------------------------------------
---

AusCERT has received information regarding potential vulnerabilities in
the implementation of some Web-based feedback forms.

This vulnerability may allow remote users to misuse these forms to send
Unsolicited Bulk Email (UBE).

This advisory will be updated as more information becomes available.

-
------------------------------------------------------------------------
---

1.  Description

    In order to obtain written feedback from their clients, many
    organisations implement web-based feedback forms. A common method
for
    doing this is to use the FORM HTML element and the POST method
option. 
    These forms often use email to send the results, with the
destination
    email address configured using a hidden INPUT field. The CGI code
which
    performs this function may be written "in house" or adapted from
    external sources (FormMail is a popular example).

    The following code snippet shows an example of the HTML tag used 
    (within the FORM tag) which may leave a web server open to abuse:

<FORM action="result-script" method="post">
...
<INPUT type=hidden name="recipient" value="feedback@...il.address.com">
...
</FORM>


2.  Impact

    Without adequate server-side validation, it is possible for remote
    clients to make a form submission with an arbitrary destination
email
    address. By allowing this, organisations inadvertently allow their
    servers to be used for sending UBE, via feedback forms. AusCERT has
    observed the exploitation of this weakness across the Internet.


3.  Workarounds/Mitigation

    Organisations who use feedback forms on their web sites should
review
    their code and test the form submission to ensure proper server-side
    validation. Server-side CGI scripts should validate the domain of
    this email address or alternatively, hard-code the email address.

    If the feedback form is developed externally, then the vendor web
site
    should be consulted for any updates or security information.

    Users of the popular FormMail CGI should upgrade to Version 1.91 or
    higher and make use of the "@recipients" array which allow
    specification of acceptable recipient email addresses or domains.

    There exists a related vulnerability in Allaire Forums which allows
    malicious users to impersonate other users using unverified hidden
    fields. See REFERENCES for more information.


REFERENCES: 

    http://www.stickysauce.com/tutorials/misc/spamproof.htm
    http://www.kb.cert.org/vuls/id/575619
    http://www.scriptarchive.com/formmail.html
    http://willmaster.com/master/feedback/

-
------------------------------------------------------------------------
---
AusCERT would like to acknowledge the assistance of Michael O'Brien,
Senior Security Consultant of LogicaCMG in producing this Advisory.
-
------------------------------------------------------------------------
---

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the
information described is the responsibility of each user or
organisation. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user
or organisation, and should be considered in accordance with your
organisation\'s site policies and procedures. AusCERT takes no
responsibility for consequences which may arise from following or acting
on information or advice contained in this security bulletin.

If you believe that your computer system has been compromised or
attacked in 
any way, we encourage you to let us know by completing the secure
National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

AusCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au.

Internet Email: auscert@...cert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business
                hours which are GMT+10:00 (AEST).  On call after hours
                for member emergencies only.

Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld  4072
AUSTRALIA


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBPxJY9yh9+71yA2DNAQE69AP/SNnhsgn00Y0fRw1fsnCJgeaVvrAHrvgw
Fho7HVqnVkti6QwZ8Lnd7K5fjkinrfgBNhRqIbJ175TTD8iYGV40eSBGFENFbojT
+TvqGOXu2FTrdSidrd3XCxx21UmAjKb+W5j1c+FyfThysAskrInkfdFG95YxCuk2
dB/k56jwO2s=
=s7Ud
-----END PGP SIGNATURE-----

Notice:
The information contained in this e-mail message and any attached files may
be confidential information, and may also be the subject of legal
professional privilege.  If you are not the intended recipient any use,
disclosure or copying of this e-mail is unauthorised.  If you have received
this e-mail in error, please notify the sender immediately by reply e-mail
and delete all copies of this transmission together with any attachments.


----- End forwarded message -----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ