[19596] in bugtraq
Re: CORRECTION to CODE: FormMail.pl can be used to send anonymous
daemon@ATHENA.MIT.EDU (Palmans Pepijn)
Mon Mar 12 04:10:17 2001
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.LNX.4.10.10103112231430.25640-100000@dhcp-195-130-155-142.kabel.pandora.be>
Date: Sun, 11 Mar 2001 22:36:32 +0100
Reply-To: Palmans Pepijn <pepijn@KANGAROOT.NET>
From: Palmans Pepijn <pepijn@KANGAROOT.NET>
X-To: Michael Rawls <bugtraq@SHADOWSTORM.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <4.0.2.20010310174119.00993390@mail.shadowstorm.com>
The problem is in the sub check_url:
It sets $check_referer = 1 if there is no $ENV{'HTTP_REFERER'}
Under normal conditions your server will always be able to get the HTTP_REFERER.
simple solution is: change the 1 into a 0 after the else {
---snip---
sub check_url {
# Localize the check_referer flag which determines if user is valid. #
local($check_referer) = 0;
# If a referring URL was specified, for each valid referer, make sure #
# that a valid referring URL was passed to FormMail. #
if ($ENV{'HTTP_REFERER'}) {
foreach $referer (@referers) {
if ($ENV{'HTTP_REFERER'} =~ m|https?://([^/]*)$referer|i) {
$check_referer = 1;
last;
}
}
}
else {
$check_referer = 1; <=== YEAH, THIS ONE ! :)
}
# If the HTTP_REFERER was invalid, send back an error. #
if ($check_referer != 1) { &error('bad_referer') }
}
---snip---
On the other hand, there must be a reason why they've put that else in it so if it fails to work for you ....
Regards,
Pepijn Palmans
www.kangaroot.net ..... your online linux store.
On Sat, 10 Mar 2001, Michael Rawls wrote:
> Hi All,
> I did a little playing with FormMail.pl after a run in with a spammer
> abusing our webserver. Apparently ALL FormMail.pl cgi-bin scripts can be
> used to spam anonymously. I found another server with FormMail.pl and
> tried the same exploit to send myself an email and it worked.
>
> The email will not show the spammer's real IP. Only the web servers IP
> will show. The web server logs will however show the true IP address of
> the spammer.
>
>
> ===========
> Actual example of email sent;
> ============
> Return-Path: <apache@hum.auc.dk>
> Received: from hercules.humfak.auc.dk (hercules.humfak.auc.dk [130.225.58.9])
> by mail.dancris.com (8.9.3/8.9.3) with ESMTP id RAA14431
> for <spam-l@shadowstorm.com>; Sat, 10 Mar 2001 17:19:34 -0700
> Received: from apache by hercules.humfak.auc.dk with local (Exim 3.02 #8)
> id 14bta3-0004tP-00
> for spam-l@shadowstorm.com; Sun, 11 Mar 2001 01:19:27 +0100
> To: spam-l@shadowstorm.com
> From: ()
> Subject: WWW Form Submission
> Message-Id: <E14bta3-0004tP-00@hercules.humfak.auc.dk>
> Date: Sun, 11 Mar 2001 01:19:27 +0100
> X-UIDL: TPj"!bg3"!i:T!!=FU"!
>
> Below is the result of your feedback form. It was submitted by
> () on Sunday, March 11, 2001 at 01:19:27
> ---------------------------------------------------------------------------
>
> message: Proof that FormMail.pl can be used to send anonymous spam.
>
> ---------------------------------------------------------------------------
>
>
> Paste the line below in to your web browser URL box as one long single
> line, insert your email in address in place of "email@address-to-spam.com",
> and press enter. Now go check your email.
>
> Begin URL code
> ================
> http://www.hum.auc.dk/cgi-bin/FormMail.pl?recipient=email@address-to-spam.co
> m&message=Proof%20that%20FormMail.pl%20can%20be%20used%20to%20send%20anonymo
> us%20spam.
> ================
>
> If this technique was not already in use by a spammer I would have kept it
> to myself, but it has already been on my server by a spammer.
>
> The address "www.hum.auc.dk" can be replaced with the address of ANY
> webserver set up to use FormMail.pl
>
> -M. Rawls
>
