[NEWS] "Spammers Delights" (Mailto.exe)

From: support@securiteam.com
Date: 12/14/01 

From: support@securiteam.com
To: list@securiteam.com
Date: Fri, 14 Dec 2001 15:56:42 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  "Spammers Delights" (Mailto.exe)
------------------------------------------------------------------------

SUMMARY

Forget about open relays. There is an extremely simple mailto form
application called mailto.exe available on the internet - simply create
your HTML form, upload the mailto.exe into your cgi-bin, and fire away.
The problem is that many site administrators do not lock-down the
mailto.exe, allowing anyone with basic HTML knowledge and some tweaking to
use the CGI as a spam relay.

DETAILS

For example:
<FORM ACTION="http://WWW.EXAMPLE.COM/CGI-BIN/MAILTO.EXE" METHOD="POST">
<INPUT TYPE="hidden" NAME="sendto" VALUE=target@spammed-address>
<INPUT TYPE="hidden" NAME="email" VALUE="src@spammer-address ">
<INPUT TYPE="hidden" NAME="server" VALUE="smtp.example.com">
<INPUT TYPE="hidden" NAME="subject" VALUE="SPAM MONGER">
<INPUT TYPE="hidden" NAME="resulturl" VALUE=http://www.example.com>

Name: <INPUT NAME="uname" SIZE=30>
Position: <INPUT NAME="title" SIZE=30>
Company: <INPUT NAME="company" SIZE=30>
E-Mail: <INPUT NAME="email" SIZE=30>
Comments:<TEXTAREA name="comments" ROWS=10 COLS=50 SIZE="10"></TEXTAREA>

Press <INPUT TYPE="submit" VALUE="Submit">

This can be inputted from any html editor or viewer and emails can be
fired away. Because it is located on the provider's site (within their
domain), the SMTP servers work, and all IP addresses are theirs. In other
words, unlike a relay that can reveal the originating IP address, this
provides for none of that.

Trivial searching with our favorite engine reveals two immediate, fully
functional provider's instruction including all their details, which work
exactly as described. No doubt, deep searching will yield many more.

Notes:
There does not seem to be a single solution, other than to release this
and urge all providers, hosting services, other to be aware and remove or
certainly not give your working server details or limit access to the
mailto.exe CGI.

ADDITIONAL INFORMATION

The information has been provided by Anonymous.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.