[19611] in bugtraq
Re: CORRECTION to CODE: FormMail.pl can be used to send anonymous
daemon@ATHENA.MIT.EDU (Steffen Dettmer)
Mon Mar 12 14:00:10 2001
Mail-Followup-To: Steffen Dettmer <steffen@dett.de>, BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Message-ID: <20010312111318.G2977@dx.net.de>
Date: Mon, 12 Mar 2001 11:13:18 +0100
Reply-To: Steffen Dettmer <steffen@dett.de>
From: Steffen Dettmer <steffen@dett.de>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <5.0.2.1.0.20010312143459.02df1ad0@202.139.144.9>; from
jsing@ORIGIN.NET.AU on Mon, Mar 12, 2001 at 03:05:59PM +1100
Content-Transfer-Encoding: 8bit
* Joel Sing wrote on Mon, Mar 12, 2001 at 15:05 +1100:
> In any case it wouldn't be difficult to send a fake referer as
> it's only a HTTP request header and the server is only
> believing what the client is telling it. Write a simple Perl
> script that sends a manipulated GET request with a fake referer
> header and you have yourself a nice spam mailer... :(
Yes, and because of that this is not a fix. It's stupid to rely
on data from an untrusted client. The eMail destination address
should not be taken from the client but configured local only (or
maybe signed). I see often such "solutions", it's a generic
problem. Some CGI scripts sent unsecured data they will need
later in a form (as HIDDEN fields or so), and _rely_ on that
data.
A simple solution could be: concat all security relevant field in
the CGI script, add a secret phrase, and hash it (with MD5 or
so). Transfer that hash as HIDDEN field too. If the CGI gets an
request with filled fields, after concat and appending of the
secret it hashes the HIDDEN fields (normally they cannot get
modified), and compares the hash with the value from the hidden
field. I don't know how secure that is, but I think it's not
trivial to break.
oki,
Steffen
--
Dieses Schreiben wurde maschinell erstellt,
es trägt daher weder Unterschrift noch Siegel.
