[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] Fix for spammers and forms

Subject: RE: [cobalt-users] Fix for spammers and forms
From: "Sim Ayers" <sim@xxxxxxxxxxxx>
Date: Thu Jul 19 08:22:09 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

Charlie,

It's great being on the cobalt users list, it's like having an extra
set of eyes and ears.

Thanks for pointing out the exploit in Matt's FormMail.
With Matt's FormMail being one of the most-used Perl scripts on the Web
there are plenty of sites that could be potentional victims to the email
spammers.

I believe the script was written in 1996 or 1995, before email
spammers/hackers
had DSL and could hit a couple thousand sites a day, looking for victims.
(Seems like we're attached at least once a week, by someone trying to take
down or get
into our server).

As a security precaution I've added the following 7 lines of code to all our
scripts
to cut down on the potentional security holes.

my $host = "http://$ENV{'HTTP_HOST'}";
my $referer = $ENV{'HTTP_REFERER'};
if($referer !~ /^$host/i or $ENV{'REQUEST_METHOD'} !~ /POST/){
   print "Content-type: text/html\n\n" unless $content_type_printed++;
   print "<p>Access denied for $referer. This form can only be submitted on
$host";
   exit;
}


A lot of scripts use similar code, but the real security buster here is:
/^$host/

The referring page must be listed first..^

This prevents hacker's from using:

http://hacker.com/www.victim.com/cgi-bin/got_you.cgi

The referring page must be from:

http://www.victim.com

This also stops form submissions or attacks using the GET method.
The script must use the POST method, or $ENV{'HTTP_REFERER'} will be
empty and access will still be denied.


Hope this helps at least one person from being hack/attacked.

-Sim

(-victim:  a live site being sacrificed to a hacker/spammer in the
performance of spamming)


-----Original Message-----
From: cobalt-users-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-users-admin@xxxxxxxxxxxxxxx]On Behalf Of Charlie H.
Sent: Thursday, July 19, 2001 11:05 AM
To: Cobalt-Users
Subject: [cobalt-users] Fix for spammers and forms


I just wanted to let everyone know, that if they are running Matt's FormMail
script, that it is very easy for someone to use it for a spamming campaign.
We had this happen to a number of sites we host. The referrer check is very
easily bypassed, and I came across a patched version that appears to have
stopped this activity for now.

You can read about this hack and find the url for the fix at the bottom of
this page http://oliver.efri.hr/~crv/security/bugs/Others/fmail2.html .

Best Wishes,
Charlie

_______________________________________________
cobalt-users mailing list
cobalt-users@xxxxxxxxxxxxxxx
To Subscribe or Unsubscribe, please go to:
http://list.cobalt.com/mailman/listinfo/cobalt-users

_______________________________________________
cobalt-users mailing list
cobalt-users@xxxxxxxxxxxxxxx
To Subscribe or Unsubscribe, please go to:
http://list.cobalt.com/mailman/listinfo/cobalt-users

References:
- RE: [cobalt-users] Fix for spammers and forms
  - From: Jonothon Ortiz

Prev by Date: [cobalt-users] [RaQ3i] cannot reset primary IP, gateway, netmask values
Next by Date: Re: [cobalt-users] The Code-Red Worm is attacking... GOD it's attacking.
Previous by thread: RE: [cobalt-users] Fix for spammers and forms
Next by thread: Re: [cobalt-users] Fix for spammers and forms

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index