BizMail 2.1 Spam Exploit

From: Jason Frisvold (xenophage0_at_gmail.com)
Date: 02/18/05

  • Next message: Martin Schulze: "[SECURITY] [DSA 687-1] New bidwatcher packages fix format string vulnerability"
    Date: Fri, 18 Feb 2005 08:48:11 -0500
    To: bugtraq@securityfocus.com
    
    

    Greetings all,

    Over the course of the last few months I've been the victim of
    repeated abuses of a web-based form commonly used for customer
    requests. This form can be downloaded here :
    http://www.bizmailform.com

    This form allowed a hacker to directly call the cgi, forge a referer
    url, and, with carefully crafted data, send spam emails without
    notifying the admin of the site. Below is the email I sent to the
    author of Bizmail. He was intially skeptical, but worked with me and
    has released a new version, 2.2, which fixes this exploit.

    This is my first bugtraq posting, so if anyone has any suggestions on
    how to improve future reports, please feel free to email me off-list.
    Thanks!

    ----
    After setting up additional logging and notifications, I was finally
    able to determine how this exploit works.
    Through reading the code and some general experimentation I was able
    to determine that the only required argument for the script is the
    email argument.  A simple multi-line message, beginning with a
    newline, can be used to re-write the email headers and send spam to
    any destination, regardless of the hard-coded send_to addresses.
    Because none of the other optional variables are set, no response
    messages are sent.  The only hint that someone has abused the script
    is information entered into the datafile, if the datafile is enabled.
    I had enabled the okurls feature as well.  This feature ensures that
    the referer url matches a list of allowed referer urls. 
    Unfortunately, the referer is not something that can be trusted, as
    this is sent by the browser.  So, this is very easily fooled.  In
    fact, the individual(s) that were abusing the script on our system
    reported a User-Agent of "Microsoft URL Control - 6.00.8169", which
    appears to be some sort of COM/OLE control which can be programmed to
    send a specific referer address.
    Without the need for programming your own COM/OLE control, there is a
    simple way to test this out.  Place the following into an HTML file :
    <HTML>
    <HEAD> <TITLE>Exploit Test Page</TITLE> </HEAD>
    <BODY>
    <form action="http://www.example.com/cgi-bin/bizmail/bizmail.cgi"
    method="POST" name="Subscribe">
    <TEXTAREA rows="5" name="email"></TEXTAREA>
    <INPUT TYPE="submit" VALUE="Submit" class="submit">
    </FORM> </BODY> </HTML>
    In the textbox that pops up, enter in the following (begin by hitting
    enter to insert a blank line)
    From:joeblow@example.com
    To:yourvalidemail@yourdomain.com
    Subject:Exploit Test
     
    This is a test
    Click submit.  You'll receive an email from the bizmail script, but
    you won't receive the normal contact email.  You can check the .dat
    file and see a copy of what you sent.
    I believe there's a simple fix for this.  The variable,
    $formdata{'email'}, should be checked for invalid characters, such as
    carriage returns and line feeds.  In addition, neither the smtp nor
    sendmail module should be called if the $MAIN_mail_send variable is
    not set.  A subject should probably be required as well.
    As per the suggested guidelines of the securityfocus bugtraq list, I
    would like to hear back from you within one week.  In the interest of
    security, I will be posting details of this exploit to the bugtraq
    list after one week if I have not heard back from you.
    -- 
    Jason 'XenoPhage' Frisvold
    XenoPhage0@gmail.com
    

  • Next message: Martin Schulze: "[SECURITY] [DSA 687-1] New bidwatcher packages fix format string vulnerability"

    Relevant Pages

    • Re: BizMail 2.1 Spam Exploit
      ... The spammer can still exploit the cgi and send spam, ... The only hint that someone has abused the script ... > the referer url matches a list of allowed referer urls. ...
      (Bugtraq)
    • [eVuln] E-Blah Platinum Referer XSS Vulnerability
      ... E-Blah Platinum 'Referer' XSS Vulnerability ... This can be used to post HTTP query with fake Referer value which may contain arbitrary html or script code. ...
      (Bugtraq)
    • Re: want no response from server
      ... > page (the script does some background task on the server). ... > redirect to the referer, but that causes a scroll to top, which is ... I do not have your answer, but if the referer page is also dynamic, ...
      (comp.lang.perl.misc)
    • Re: Weird error after a configuration change
      ... I was laughing so hard I actually got it totally wrong. ... I now see there _was_ apparently a referer and the error was ... complaining about $action. ... So what was the URL you used to access the script? ...
      (comp.lang.perl.misc)
    • Re: we need get the actual REFERER url
      ... >but we are seeking to get referer url ... You can use an ASP script with a Request.ServerVariables. ... Jeff ...
      (microsoft.public.inetserver.iis)