Re: BizMail 2.1 Spam Exploit

From: Jason Frisvold (xenophage0_at_gmail.com)
Date: 03/01/05

  • Next message: Han Boetes: "Re: 7a69Adv#22 - UNIX unzip keep setuid and setgid files"
    Date: Mon, 28 Feb 2005 22:14:51 -0500
    To: bugtraq@securityfocus.com
    
    

    On Fri, 18 Feb 2005 08:48:11 -0500, Jason Frisvold <xenophage0@gmail.com> wrote:
    > Greetings all,
    >
    > This form allowed a hacker to directly call the cgi, forge a referer
    > url, and, with carefully crafted data, send spam emails without
    > notifying the admin of the site. Below is the email I sent to the
    > author of Bizmail. He was intially skeptical, but worked with me and
    > has released a new version, 2.2, which fixes this exploit.

    After further study, the 2.2 release does not sufficiently fix the
    problem. The spammer can still exploit the cgi and send spam, but the
    email address set as the first sendto address is also sent a copy.

    A patch to fix this problem is below. I cannot guarantee this will
    work for every situation, but it seems to be doing the trick for me..

    --- bizmail.cgi 2005-02-17 20:10:26.000000000 -0500
    +++ bizmail.cgi 2005-02-27 13:47:29.000000000 -0500
    @@ -534,41 +534,28 @@
         @required_stealth = split(/,/,$formdata{'required_stealth'});

     for ($indexreq = 0; $indexreq < @required; $indexreq++) {
    -$myrequired = $required[$indexreq];
    -$myformreq = $formdata{"$myrequired"};
    + $myrequired = $required[$indexreq];
    + $myformreq = $formdata{"$myrequired"};

    + if (!$myformreq){

    - if (!$myformreq){
    -
    -if ($use_html_error eq "1") {
    - require 'required.cgi';
    - &REQ_format_error;
    -}else{
    - require 'error.cgi';
    - &format_error;
    -}
    -
    - } ## END missing REQUIRED ##
    - elsif ($myrequired eq "email"){
    - if (!$myformreq || $myformreq =~
    /(@.*@)|(\.\.)|(@\.)|(\.@)|(^\.)/ || $myformreq !~
    /^.+\@(\[?)[a-zA-Z0-9\-\.]+\.([a-zA-Z0-9]+)(\]?)$/){
    -
    - if ($use_html_error eq "1") {
    - require 'required.cgi';
    - &REQ_format_error;
    - }else{
    - require 'error.cgi';
    - &missing_email;
    - }
    + if ($use_html_error eq "1") {
    + require 'required.cgi';
    + &REQ_format_error;
    + }else{
    + require 'error.cgi';
    + &format_error;
           }
    - } ## END IF REQUIRED IS EMAIL ##
    -
    -

    + }

    +} # End required loop

    +if ($formdata{'email'} && ($formdata{'email'} =~
    /(@.*@)|(\.\.)|(@\.)|(\.@)|(^\.)/ || $formdata{'email'} !~
    /^.+\@(\[?)[a-zA-Z0-9\-\.]+\.([a-zA-Z0-9]+)(\]?)$/)) {
    + require 'error.cgi';
    + &missing_email;
     }

    -
     if ($formdata{'sendreply'} eq "1"){
           if (!$formdata{'email'} || $formdata{'email'} =~
    /(@.*@)|(\.\.)|(@\.)|(\.@)|(^\.)/ || $formdata{'email'} !~
    /^.+\@(\[?)[a-zA-Z0-9\-\.]+\.([a-zA-Z0-9]+)(\]?)$/){

    > ----
    >
    > After setting up additional logging and notifications, I was finally
    > able to determine how this exploit works.
    >
    > Through reading the code and some general experimentation I was able
    > to determine that the only required argument for the script is the
    > email argument. A simple multi-line message, beginning with a
    > newline, can be used to re-write the email headers and send spam to
    > any destination, regardless of the hard-coded send_to addresses.
    >
    > Because none of the other optional variables are set, no response
    > messages are sent. The only hint that someone has abused the script
    > is information entered into the datafile, if the datafile is enabled.
    >
    > I had enabled the okurls feature as well. This feature ensures that
    > the referer url matches a list of allowed referer urls.
    > Unfortunately, the referer is not something that can be trusted, as
    > this is sent by the browser. So, this is very easily fooled. In
    > fact, the individual(s) that were abusing the script on our system
    > reported a User-Agent of "Microsoft URL Control - 6.00.8169", which
    > appears to be some sort of COM/OLE control which can be programmed to
    > send a specific referer address.
    >
    > Without the need for programming your own COM/OLE control, there is a
    > simple way to test this out. Place the following into an HTML file :
    >
    > <HTML>
    > <HEAD> <TITLE>Exploit Test Page</TITLE> </HEAD>
    > <BODY>
    > <form action="http://www.example.com/cgi-bin/bizmail/bizmail.cgi"
    > method="POST" name="Subscribe">
    > <TEXTAREA rows="5" name="email"></TEXTAREA>
    > <INPUT TYPE="submit" VALUE="Submit" class="submit">
    > </FORM> </BODY> </HTML>
    >
    > In the textbox that pops up, enter in the following (begin by hitting
    > enter to insert a blank line)
    >
    > From:joeblow@example.com
    > To:yourvalidemail@yourdomain.com
    > Subject:Exploit Test
    >
    > This is a test
    >
    > Click submit. You'll receive an email from the bizmail script, but
    > you won't receive the normal contact email. You can check the .dat
    > file and see a copy of what you sent.
    >
    > I believe there's a simple fix for this. The variable,
    > $formdata{'email'}, should be checked for invalid characters, such as
    > carriage returns and line feeds. In addition, neither the smtp nor
    > sendmail module should be called if the $MAIN_mail_send variable is
    > not set. A subject should probably be required as well.
    >
    > As per the suggested guidelines of the securityfocus bugtraq list, I
    > would like to hear back from you within one week. In the interest of
    > security, I will be posting details of this exploit to the bugtraq
    > list after one week if I have not heard back from you.
    >
    > --
    > Jason 'XenoPhage' Frisvold
    > XenoPhage0@gmail.com
    >

    -- 
    Jason 'XenoPhage' Frisvold
    XenoPhage0@gmail.com
    

  • Next message: Han Boetes: "Re: 7a69Adv#22 - UNIX unzip keep setuid and setgid files"

    Relevant Pages

    • Re: PHP formmail getting spammed by bots
      ... I'm not getting spam that's duplicate. ... It's from the same bot but ... differant messages. ... So I'm now checking if the referer is ...
      (alt.php)
    • BizMail 2.1 Spam Exploit
      ... This form allowed a hacker to directly call the cgi, forge a referer ... The only hint that someone has abused the script ... the referer url matches a list of allowed referer urls. ... appears to be some sort of COM/OLE control which can be programmed to ...
      (Bugtraq)
    • E-Mail Problems - MAIL_MESSAGE
      ... I have the below script hosted on a website which i run. ... CGI script so does anyone know how they can manage to use this script to ... send out mail as SPAM and what i should change to stop it? ... email($subject,$recipient,$sender,$sender,$body, $senderName); ...
      (comp.lang.perl.modules)
    • [eVuln] E-Blah Platinum Referer XSS Vulnerability
      ... E-Blah Platinum 'Referer' XSS Vulnerability ... This can be used to post HTTP query with fake Referer value which may contain arbitrary html or script code. ...
      (Bugtraq)
    • Re: want no response from server
      ... > page (the script does some background task on the server). ... > redirect to the referer, but that causes a scroll to top, which is ... I do not have your answer, but if the referer page is also dynamic, ...
      (comp.lang.perl.misc)