Re: <victim>server formmail.pl exploit in the wild

From: Andrew Daviel (andrewat_private)
Date: Mon Apr 15 2002 - 13:02:47 PDT

  • Next message: Kee Hinckley: "Re: <victim>server formmail.pl exploit in the wild"

    On Sun, 14 Apr 2002, Kee Hinckley wrote:
    
    > >Or, more simply, your users could be told to set a particular hidden
    > >form value and the script set to require it. Clearly an abuser would be
    > >able to read the HTML and set the value, but it would block the vast
    > 
    > I fail to see how either of these would do anymore than give you a 
    > false sense of security.  You use these techniques.  A bunch of 
    > people install them, and then a month later spammers are using a 
    > formmail exploit that takes them into account by fetching the webbug, 
    > getting the cookie, and submitting the form.  (Or reading the script 
    > for the hidden value, and then using it.)  Sure, it takes a few more 
    > seconds for the exploit to run, but that hardly matters.
    
    True, security through obscurity is not real security. But we're not
    trying to block a determined person from sending one piece of mail, we're 
    trying to make it not worthwhile for automated abuse. Currently, many 
    formmail scripts are found by scanning for them, just by requesting 
    /cgi-bin/formmail.pl. As another correspondent pointed out, renaming 
    the thing to cgi-bin/formmailtoo.pl would thwart this.
    While the script is known, and in a known place, the form is not, and
    can have arbitrary structure, and be in an arbitrary place. To find these
    in an automated fashion would require a search engine able to search
    on HTML elements (rather than visible text). Then the hidden field
    would have to be found (different for each site). This is somewhat
    more complex than just trolling  for cgi-bin and would I think
    deter most spammers.
    
    If the script is equipped with a throttle, then excessive mail from one
    remote address (OK, problems with AOL proxy maybe) or to one recipient may 
    be blocked. But what I have seen appears to be an attempt to use multiple
    clients to send the same message, which may sidestep a throttle somewhat.
    
    I presume that real users of this script (as opposed to those who 
    can easily hardwire the recipient address because it only goes to one
    person) are running a system where users are trusted to write
    their own HTML, but not to write arbitrary CGI. So the administrators of 
    the web pages, who know what recipients are valid, are not able to
    change the script.
    The only other solution I can think of at the moment, would be to
    give the HTML authors a private directory that they can write to - either 
    outside the Web directory, or password-protected.
    The form script could then read the recipient list from a file 
    (directly, or over the net with a suitable client). 
    It would have to figure out the 
    filename from the referer, or from a hidden field.
    
    Of course, some web browsers are able to send a form via mail directly,
    but others won't or just pop a normal mail client. At least, that was true
    a few years ago.
    
    -- 
    Andrew Daviel, TRIUMF, Canada
    Tel. +1 (604) 222-7376
    securityat_private
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Mon Apr 15 2002 - 13:19:35 PDT