Warning to all writing CGI form mail scripts...

Hi,

I've pointed out nasty bugs you can do when writing form mail scripts before now, such as dropping variables into the command line, or specifying the To address as unchecked user input, etc.

A new nasty one I've seen in increasing use is much more subtle. When you do a sendmail script it tends to look like this:-

open my $mail, "| /usr/bin/sendmail -t";
print $mail "To: predefined@address.com
";
print $mail "From: $email
";
print $mail "Subject: $subject

";
print $mail "$body";
close $mail;

Many people will validate $email properly to ensure people are entering a valid email address. Unfortunately, checking the subject line is easily overlooked, but it's a big potential problem.

Imagine the variable $subject contains (line breaks intentional):-

I 0wned j00!
Bcc: spam@address.com

Then you end up printing this header:-

To: predefined@address.com
From: $email
Subject: I 0wned j00!
Bcc: spam@address.com

So, that happens here? Well, the mail also gets BCC'd to someone else. You could hid a lot of addresses in there and obviously SPAM quite a few people.

The solution? Make sure the subject line doesn't contain any line breaks.

if ($subject =~ /
|
/) { ... }

And as the normal advice goes, if you find one thing is not as it should be, just pull the plug. E.G., the fix is to check for this and not send any mail, not to strip out the unwanted characters and let things go on as normal, as if nothing had happened. There could be other dodgy input that'll damage some other bit of your script.

Usual CGI advice: don't trust input! :-) I'll be popping this in the next version of my secure CGI development article.

Jonathan

###
for(74,117,115,116){$::a.=chr};(($_.='qwertyui')&&
(tr/yuiqwert/her anot/))for($::b);for($::c){$_.=$^X;
/(p.{2}l)/;$_=$1}$::b=~/(..)$/;print("$::a$::b $::c hack$1.");

Comments

  • : Hi,
    :
    : I've pointed out nasty bugs you can do when writing form mail scripts before now, such as dropping variables into the command line, or specifying the To address as unchecked user input, etc.
    :
    : A new nasty one I've seen in increasing use is much more subtle. When you do a sendmail script it tends to look like this:-
    :
    : open my $mail, "| /usr/bin/sendmail -t";
    : print $mail "To: predefined@address.com
    ";
    : print $mail "From: $email
    ";
    : print $mail "Subject: $subject

    ";
    : print $mail "$body";
    : close $mail;
    :
    : Many people will validate $email properly to ensure people are entering a valid email address. Unfortunately, checking the subject line is easily overlooked, but it's a big potential problem.
    :
    : Imagine the variable $subject contains (line breaks intentional):-
    :
    : I 0wned j00!
    : Bcc: spam@address.com
    :
    : Then you end up printing this header:-
    :
    : To: predefined@address.com
    : From: $email
    : Subject: I 0wned j00!
    : Bcc: spam@address.com
    :
    : So, that happens here? Well, the mail also gets BCC'd to someone else. You could hid a lot of addresses in there and obviously SPAM quite a few people.
    :
    : The solution? Make sure the subject line doesn't contain any line breaks.
    :
    : if ($subject =~ /
    |
    /) { ... }
    :
    : And as the normal advice goes, if you find one thing is not as it should be, just pull the plug. E.G., the fix is to check for this and not send any mail, not to strip out the unwanted characters and let things go on as normal, as if nothing had happened. There could be other dodgy input that'll damage some other bit of your script.
    :
    : Usual CGI advice: don't trust input! :-) I'll be popping this in the next version of my secure CGI development article.
    :
    : Jonathan
    :
    : ###
    : for(74,117,115,116){$::a.=chr};(($_.='qwertyui')&&
    : (tr/yuiqwert/her anot/))for($::b);for($::c){$_.=$^X;
    : /(p.{2}l)/;$_=$1}$::b=~/(..)$/;print("$::a$::b $::c hack$1.");

    I don't understand how someone can drop a variable into the command line. Could you please explain?

    X
  • : : I've pointed out nasty bugs you can do when writing form mail
    : : scripts before now, such as dropping variables into the command
    : : line, or specifying the To address as unchecked user input, etc.
    : I don't understand how someone can drop a variable into the command
    : line. Could you please explain?
    I meant writing the Sendmail call like this:-

    open my $mail, "| /usr/bin/sendmail -t $toemail";

    If you're going to do that you'd better hope your validation routine for $toemail is pretty good. Passing user input from a CGI script directly to the shell is generally best avoided, and if you do it then it's essential you check it's content carefully first. Otherwise, people could execute arbitary commands.

    Maybe you think I'm being paranoid. The guy in computing class who asked me to check one of his systems out (that I happened to know did a call to the shell, though I didn't know if it was checked) has (hopefully!) been pretty paranoid after getting kinda scared when a few files magically started appearing on the test server. ;-) (Better still was that he had an unfortunate design that meant you could also see the output of any commands you executed, so you had 2 way communication with the remote target).

    Jonathan

    ###
    for(74,117,115,116){$::a.=chr};(($_.='qwertyui')&&
    (tr/yuiqwert/her anot/))for($::b);for($::c){$_.=$^X;
    /(p.{2}l)/;$_=$1}$::b=~/(..)$/;print("$::a$::b $::c hack$1.");

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Categories