RE: Secure Form Script?

From: Bryce Porter (bporter_at_heart.net)
Date: 05/14/04

  • Next message: Runion Mark A FGA DOIM WEBMASTER(ctr): "RE: Secure Form Script?"
    Date: Fri, 14 May 2004 14:36:28 -0500
    To: "Stephen Samuel" <samuel@bcgreen.com>, <focus-linux@securityfocus.com>
    
    
    

    Or you can write your own script in Perl (or your language of choice)
    that accepts a single To: parameter from an html form and runs the input
    through a regular expression to "cleanse" the data. Then, perform the
    actual sending using something like Net::SMTP, et. al. Never interface
    directly with the sendmail binary, and never use a script that does. Let
    me know if you need some help.

    Regards,
     
    Bryce Porter
    Network Administrator
    Heart Technologies, Inc.
    bporter@heart.net
    http://www.heart.net/
    309.633.2800 Technical Support
    309.634.2282 Direct
    309.634.2382 Fax
     
    -----Original Message-----
    From: Stephen Samuel [mailto:samuel@bcgreen.com]
    Sent: Thursday, May 13, 2004 4:56 PM
    To: Michael Rice; focus-linux@securityfocus.com
    Subject: Re: Secure Form Script?

    Why not just a form that accepts a subject, a sender email
    and a text message, then mails that to a specific user.
    Even if manage to hijack the fields due to improperly vetted
    input, you'd still only end up with the input going to one
    possible person (the recipient is specified on the (fixed))
    sendmail commandline).

    Michael Rice wrote:
    >>Can someone point me to a discussion about the issues involved with
    >>hijacking web forms? In the applications I write, the destination
    address
    >>is usually stored on the server, either in the script itself, or in a
    >>configuration file, or in a database. I don't see how someone could
    use
    >>such a script to change the destination address and point it at a list
    >>of addresses belonging to spam victims.
    >
    >
    > It's usually not sufficient to store the to addresses on the server
    > and/or obfuscate the parameters used for the other input fields.
    >
    >
    > Consider a form that constructs the email like:
    >
    > Date: $local->date
    > From: $form->from
    > To: $local->to
    > Subject: $form->subject
    >
    > $form->body
    >
    > So, to hijack this form, I would construct a subject like:

    -- 
    Stephen Samuel +1(604)876-0426                samuel@bcgreen.com
    		   http://www.bcgreen.com/~samuel/
        Powerful committed communication. Transformation touching
          the jewel within each person and bringing it to light.
    

  • Next message: Runion Mark A FGA DOIM WEBMASTER(ctr): "RE: Secure Form Script?"

    Relevant Pages

    • Re: Secure Form Script?
      ... > hijacking web forms? ... the destination address ... > such a script to change the destination address and point it at a list ... It's usually not sufficient to store the to addresses on the server ...
      (Focus-Linux)
    • Re: Secure Form Script?
      ... Why not just a form that accepts a subject, a sender email ... Even if manage to hijack the fields due to improperly vetted ... >>such a script to change the destination address and point it at a list ... > It's usually not sufficient to store the to addresses on the server ...
      (Focus-Linux)
    • RE: Secure Form Script?
      ... On Fri, 2004-05-14 at 11:58, Runion Mark A FGA DOIM WEBMASTER ... > Because when they hijack the input to a sendmail command you generally see ... > your mail program this can be ignored. ... The script example above would allow a spammer to pass in their ...
      (Focus-Linux)
    • PublishObjects lockup
      ... HOW CAN I MODIFY THIS SCRIPT TO PREVENT LOCKUP IN THE CASE OF FAILURE? ... Excel when the destination server for PublishObjects is not available. ...
      (microsoft.public.excel.programming)
    • Re: DTS Transfer Job Fails
      ... If you are just transferring jobs, why not script them and run the script at ... after changing any server specific info you need? ... destination server and allows me to check only the ones that are not. ...
      (microsoft.public.sqlserver.dts)