Re: CORRECTION to CODE: FormMail.pl can be used to send anonymous email

[Peter W <peterw () USA NET>]

On Sun, Mar 11, 2001 at 10:36:32PM +0100, Palmans Pepijn wrote:

> The problem is in the sub check_url:
> It sets $check_referer = 1 if there is no $ENV{'HTTP_REFERER'}
> Under normal conditions your server will always be able to get the HTTP_REFERER.

Not true. Many firewalls block Referer headers, so requiring this
information will frustrate legitimate users, while not stopping abusers.

> simple solution is: change the 1 into a 0 after the else {

That's hardly a solution. The "Referer" information is client-supplied
data; any intelligent spammer will cobble together code that connects
to the httpd and feeds it whatever data it wants.

Basing security decisions on client-provided data like the Referer
HTTP header is Just Plain Bad Design. But the Referer check isn't
the real problem here: trusting the rest of the user-supplied data is.

If you want something like this to be "secure", you need a way to
verify the client-supplied data (in this case, things like the email
recipient that should be embedded in the page with the <form>).
A few common techniques are:

 - Embed a checksum as a hidden field and ensure that all "important"
   fields check out. One problem with this is that the Web page authors
   need to be able to calculate checksums (preferably without knowing
   the algorithm), and have to update the checksum if any hidden form
   element changes: a real pain.

 - Put the settings in a separate file or repository (not hidden form
   fields) where the backend sees the data but the client does not,
   and cannot override the proper settings at all. I've used this
   approach for systems that are configured by more "technical" staff.
   This approach also saves bandwidth.

 - Have the back-end request the URL the client claims the form
   is on (assuming it looks like something the back-end should honor),
   parse the hidden fields, and override anything the client may
   have submitted. This is my favorite approach, as it's easy on the
   Web page authors, and involves no special tricks. This can even
   work for authenticated forms iff using cookie-based auth and the
   back-end has a URL that will receive the auth cookie(s).

Any of these approaches would at least prevent the spammer from
reaching anything other than the officially sanctioned address, though
they can email that as often as they like...

...as for the observation that the resulting email will only show
the IP address of the Web server; yes, true. That's why all my Web -> mail
apps add "X-" mail headers with debugging information (scrubbed of
any unexpected data!) to facilitate debugging. See RFC 822. E.G.,

X-Sender-Network-Address: 10.2.3.4
X-Mail-Origin: http://www.example.com/ webmail system
X-Disclaimer: This is not an official example.com mail message.
X-Apparent-Source-Page: http://www.example.com/mailform.html

This is just Secure Programming 101 + Web Programming 101. It's a
shame, but it certainly seems that a lot of these freebie Web scripts
are really quite awful when it comes to security.

Bugtraq could be flooded with noise if it started to accept posts
on stupid Web programming mistakes in freebie software; please, let's
not go down that road!

-Peter

> ---snip---
> sub check_url {

>     if ($ENV{'HTTP_REFERER'}) {
>         foreach $referer (@referers) {
>             if ($ENV{'HTTP_REFERER'} =~ m|https?://([^/]*)$referer|i) {
>                 $check_referer = 1;
>                 last;
>             }
>         }
>     }
>     else {
>         $check_referer = 1;   <=== YEAH, THIS ONE ! :)
>     }

>     # If the HTTP_REFERER was invalid, send back an error.                   #
>     if ($check_referer != 1) { &error('bad_referer') }
> }
> ---snip---
>
> On the other hand, there must be a reason why they've put that else in it so if it fails to work for you ....

> On Sat, 10 Mar 2001, Michael Rawls wrote:
>
> > Hi All,
> >    I did a little playing with FormMail.pl after a run in with a spammer
> > abusing our webserver. Apparently ALL FormMail.pl cgi-bin scripts can be
> > used to spam anonymously.  I found another server with FormMail.pl and
> > tried the same exploit to send myself an email and it worked.
> >
> > The email will not show the spammer's real IP.  Only the web servers IP
> > will show.  The web server logs will however show the true IP address of
> > the spammer.