Bugtraq mailing list archives
Re: CORRECTION to CODE: FormMail.pl can be used to send anonymous email
From: Peter W <peterw () USA NET>
Date: Mon, 12 Mar 2001 05:23:17 -0500
On Sun, Mar 11, 2001 at 10:36:32PM +0100, Palmans Pepijn wrote:
The problem is in the sub check_url: It sets $check_referer = 1 if there is no $ENV{'HTTP_REFERER'} Under normal conditions your server will always be able to get the HTTP_REFERER.
Not true. Many firewalls block Referer headers, so requiring this information will frustrate legitimate users, while not stopping abusers.
simple solution is: change the 1 into a 0 after the else {
That's hardly a solution. The "Referer" information is client-supplied data; any intelligent spammer will cobble together code that connects to the httpd and feeds it whatever data it wants. Basing security decisions on client-provided data like the Referer HTTP header is Just Plain Bad Design. But the Referer check isn't the real problem here: trusting the rest of the user-supplied data is. If you want something like this to be "secure", you need a way to verify the client-supplied data (in this case, things like the email recipient that should be embedded in the page with the <form>). A few common techniques are: - Embed a checksum as a hidden field and ensure that all "important" fields check out. One problem with this is that the Web page authors need to be able to calculate checksums (preferably without knowing the algorithm), and have to update the checksum if any hidden form element changes: a real pain. - Put the settings in a separate file or repository (not hidden form fields) where the backend sees the data but the client does not, and cannot override the proper settings at all. I've used this approach for systems that are configured by more "technical" staff. This approach also saves bandwidth. - Have the back-end request the URL the client claims the form is on (assuming it looks like something the back-end should honor), parse the hidden fields, and override anything the client may have submitted. This is my favorite approach, as it's easy on the Web page authors, and involves no special tricks. This can even work for authenticated forms iff using cookie-based auth and the back-end has a URL that will receive the auth cookie(s). Any of these approaches would at least prevent the spammer from reaching anything other than the officially sanctioned address, though they can email that as often as they like... ...as for the observation that the resulting email will only show the IP address of the Web server; yes, true. That's why all my Web -> mail apps add "X-" mail headers with debugging information (scrubbed of any unexpected data!) to facilitate debugging. See RFC 822. E.G., X-Sender-Network-Address: 10.2.3.4 X-Mail-Origin: http://www.example.com/ webmail system X-Disclaimer: This is not an official example.com mail message. X-Apparent-Source-Page: http://www.example.com/mailform.html This is just Secure Programming 101 + Web Programming 101. It's a shame, but it certainly seems that a lot of these freebie Web scripts are really quite awful when it comes to security. Bugtraq could be flooded with noise if it started to accept posts on stupid Web programming mistakes in freebie software; please, let's not go down that road! -Peter
---snip--- sub check_url {
if ($ENV{'HTTP_REFERER'}) { foreach $referer (@referers) { if ($ENV{'HTTP_REFERER'} =~ m|https?://([^/]*)$referer|i) { $check_referer = 1; last; } } } else { $check_referer = 1; <=== YEAH, THIS ONE ! :) }
# If the HTTP_REFERER was invalid, send back an error. # if ($check_referer != 1) { &error('bad_referer') } } ---snip--- On the other hand, there must be a reason why they've put that else in it so if it fails to work for you ....
On Sat, 10 Mar 2001, Michael Rawls wrote:Hi All, I did a little playing with FormMail.pl after a run in with a spammer abusing our webserver. Apparently ALL FormMail.pl cgi-bin scripts can be used to spam anonymously. I found another server with FormMail.pl and tried the same exploit to send myself an email and it worked. The email will not show the spammer's real IP. Only the web servers IP will show. The web server logs will however show the true IP address of the spammer.
Current thread:
- CORRECTION to CODE: FormMail.pl can be used to send anonymous email Michael Rawls (Mar 11)
- Re: CORRECTION to CODE: FormMail.pl can be used to send anonymous email Palmans Pepijn (Mar 12)
- Re: CORRECTION to CODE: FormMail.pl can be used to send anonymous email Peter W (Mar 12)
- Re: CORRECTION to CODE: FormMail.pl can be used to send anonymous email Joel Sing (Mar 12)
- Re: CORRECTION to CODE: FormMail.pl can be used to send anonymous email Steffen Dettmer (Mar 12)
- Re: CORRECTION to CODE: FormMail.pl can be used to send anonymous email Steve Reid (Mar 13)
- Re: CORRECTION to CODE: FormMail.pl can be used to send anonymousemail Scott Buchanan (Mar 12)
- Message not available
- Re: CORRECTION to CODE: FormMail.pl can be used to send anonymousemail Scott Buchanan (Mar 13)
- Message not available
- Re: CORRECTION to CODE: FormMail.pl can be used to send anonymous email Palmans Pepijn (Mar 12)
- Re: CORRECTION to CODE: FormMail.pl can be used to send anonymous email Steve Reid (Mar 12)