On Sun, 14 Apr 2002, Kee Hinckley wrote: > >Or, more simply, your users could be told to set a particular hidden > >form value and the script set to require it. Clearly an abuser would be > >able to read the HTML and set the value, but it would block the vast > > I fail to see how either of these would do anymore than give you a > false sense of security. You use these techniques. A bunch of > people install them, and then a month later spammers are using a > formmail exploit that takes them into account by fetching the webbug, > getting the cookie, and submitting the form. (Or reading the script > for the hidden value, and then using it.) Sure, it takes a few more > seconds for the exploit to run, but that hardly matters. True, security through obscurity is not real security. But we're not trying to block a determined person from sending one piece of mail, we're trying to make it not worthwhile for automated abuse. Currently, many formmail scripts are found by scanning for them, just by requesting /cgi-bin/formmail.pl. As another correspondent pointed out, renaming the thing to cgi-bin/formmailtoo.pl would thwart this. While the script is known, and in a known place, the form is not, and can have arbitrary structure, and be in an arbitrary place. To find these in an automated fashion would require a search engine able to search on HTML elements (rather than visible text). Then the hidden field would have to be found (different for each site). This is somewhat more complex than just trolling for cgi-bin and would I think deter most spammers. If the script is equipped with a throttle, then excessive mail from one remote address (OK, problems with AOL proxy maybe) or to one recipient may be blocked. But what I have seen appears to be an attempt to use multiple clients to send the same message, which may sidestep a throttle somewhat. I presume that real users of this script (as opposed to those who can easily hardwire the recipient address because it only goes to one person) are running a system where users are trusted to write their own HTML, but not to write arbitrary CGI. So the administrators of the web pages, who know what recipients are valid, are not able to change the script. The only other solution I can think of at the moment, would be to give the HTML authors a private directory that they can write to - either outside the Web directory, or password-protected. The form script could then read the recipient list from a file (directly, or over the net with a suitable client). It would have to figure out the filename from the referer, or from a hidden field. Of course, some web browsers are able to send a form via mail directly, but others won't or just pop a normal mail client. At least, that was true a few years ago. -- Andrew Daviel, TRIUMF, Canada Tel. +1 (604) 222-7376 securityat_private ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Apr 15 2002 - 13:19:35 PDT