NYCPHP Meetup

NYPHP.org

[nycphp-talk] worm/virus's hammering feedback scripts?

Billy Reisinger mail at billyreisinger.com
Mon Sep 12 14:36:19 EDT 2005


Dear David:
The attacker only needs to slip a mail header in _any_ of the variables 
passed to mail(); not just a Reply-to: header.  In brief, this attack 
works due to a "feature" of MIME headers which allow you to have 
duplicate header entries (i.e. To:, Reply-to:, etc) in _any_order_ in 
the mail header.  In fact, the attacker can stop a mail message in the 
middle of the message body and begin an entirely new message!  For a 
more thorough (and cogent) explanation of this vulnerability, head on 
over to http://securephp.damonkohler.com/index.php/Email_Injection .  
It's kind of a funky problem to get your brain around.  I agree that the 
community needs some sort of standardized solution to squash this 
problem once and for all!

David Mintz wrote:

>I am a little confused about how my contact.php has been abused, or
>whether the attack actually succeeded or just annoyed me.
>
>There are fields for contact data such as phone number etc but these are
>validated and then end up as part of the message body.
>
>The To (site owner, and me) and Subject headers are hard-coded.  The
>user-supplied email goes into Reply-to header as a convenience to the
>ultimate human receiver. However, that email is validated against this
>regex by HTML_QuickForm:
>
>/^((\"[^\"\f\n\r\t\v\b]+\")|([\w\!\#\$\%\&\'\*\+\-\~\/\^\`\|\{\}]+(\.[\w\!\#\$\%\&\'\*\+\-\~\/\^\`\|\{\}]+)*))@((\[(((25[0-5])|(2[0-4][0-9])|([0-1]?[0-9]?[0-9]))\.((25[0-5])|(2[0-4][0-9])|([0-1]?[0-9]?[0-9]))\.((25[0-5])|(2[0-4][0-9])|([0-1]?[0-9]?[0-9]))\.((25[0-5])|(2[0-4][0-9])|([0-1]?[0-9]?[0-9])))\])|(((25[0-5])|(2[0-4][0-9])|([0-1]?[0-9]?[0-9]))\.((25[0-5])|(2[0-4][0-9])|([0-1]?[0-9]?[0-9]))\.((25[0-5])|(2[0-4][0-9])|([0-1]?[0-9]?[0-9]))\.((25[0-5])|(2[0-4][0-9])|([0-1]?[0-9]?[0-9])))|((([A-Za-z0-9\-])+\.)+[A-Za-z\-]+))$/
>
>
>It isn't optimized for readability but I really don't think you can slip
>newlines and "\r\nCc: whatever at example.org" and 'Content-type:...' in
>there. Messages come to me like the following (site domain name changed
>for discretion's sake). I looks like the nasty part only made it into the
>message body. Does this nevertheless mean the mail function actually sent
>mail to the now famous jrubin3546 at aol.com?
>
>Date: 11 Sep 2005 16:55:58 -0000
>From: webmaster at example.org
>Reply-To: jkbfi at example.org
>To: site-owner at example.org, dmintz at davidmintz.org
>Subject: EXAMPLE Mailing List
>
>The following request to be added to the EXAMPLE mailing list was
>submitted via EXAMPLE.org on 11-Sep-2005 at 12:55 pm
>
>jkbfi at example.org, jkbfi at example.org jkbfi at example.org
>Content-Type: multipart/mixed; boundary="===============2144621942=="
>MIME-Version: 1.0
>Subject: a29babd0
>To: jkbfi at example.org
>bcc: jrubin3546 at aol.com
>From: jkbfi at example.org
>
>This is a multi-part message in MIME format.
>
>--===============2144621942==
>Content-Type: text/plain; charset="us-ascii"
>MIME-Version: 1.0
>Content-Transfer-Encoding: 7bit
>
>bsmiaujtd
>--===============2144621942==--
>jkbfi at example.org
>jkbfi at example.org
>jkbfi at example.org
>jkbfi at example.org
>jkbfi at example.org, jkbfi at example.org jkbfi at example.org
>
>Business phone jkbfi at example.org
>Business fax   jkbfi at example.org
>Cellular       jkbfi at example.org
>Home phone     jkbfi at example.org
>Email          jkbfi at example.org
>
>[end example]
>
>Meawhile I have hardened this script along the lines suggested by Hans Z
>et al and started logging the state of the input after validation on every
>invocation of the script, and these logs show that the bot is being
>thwarted and the script is exiting harmlessly, so thank you very much.
>
>I think it's time to propose some white-list style regexps instead of
>trying to filter out the evil stuff (thanks Shiflett). For example, would
>you agree that a proper name (of a person) in most any Western
>European language ought to pass this test?
>
>function checkProperName($name) {
>    return preg_match("/[^a-zA-Z\xC0-\xFF .,'-]/",$name) == false;
>}
>
>---
>David Mintz
>http://davidmintz.org/
>_______________________________________________
>New York PHP Talk Mailing List
>AMP Technology
>Supporting Apache, MySQL and PHP
>http://lists.nyphp.org/mailman/listinfo/talk
>http://www.nyphp.org
>
>
>
>  
>




More information about the talk mailing list