Strange Formmail Messages

[vengavenga]

One of my clients (dappernippers.com) received 3 or 4 messages yesterday via her formmail "contact us" form. She forwarded one of them onto me:

 

Subject: http://www.dappernippers.com/cgi-sys/formmail.pl (217.158.37.164:80) bcc: imagx09@aol.comLX OO Nh Kd ylaErPMt4R9KE3i3k2Kt K9rAnn 2n qsoH1 uC2IcP TKKm2 iG Glgep UUPT7s7f feJ3qHgbSÿFFFFCCabcdefghijklmnopqrstuvqxyzABC.

Date: Tue, 17 Feb 2004 16:59:04 -0500

From: 9uSrC03v@dappernippers.com

To: 9uSrC03v@dappernippers.com

 

body: LX

OO Nh K

d

yl

aErPMt4R9KE3i3k2Kt K9rAnn 2n qsoH1

uC2IcP TKKm2 iG Glgep UUPT

7

s7f

feJ3qHgb

SÿFFFFCCabcdefghijklmnopqrstuvqxyzABC

 

 

Is this something sinister, and is there any risk?

 

Cheers,

 

Ali

[surefire]

It looks suspicious to me. The from and to are the same... plus there's a bcc. It might have been an attempt to see if the form mail script on the client's site is vulnerable to hijacking.

 

The acid test of form mail scripts is whether the email recipient addresses are hard coded into the server side code... or if you pass it to the script from a hidden form tag in the html on your form page.

 

If the script requires (or allows!) you to set the recipient email address(es) by sending the email addresses from the form html, then the script is vulnerable and you should use a different one. Even if your code compares the form data recipient email address against a pre-set array of accepted email addresses, there are serious vulnerabilities.

 

The best form mail code is set up by the website owner to send all message to a prearranged set of email addresses. I don't know of a way that a form mail script could be hijacked if the recipients are hardcoded.

[vengavenga]

hmmm ... this isn't an issue I've had to worry about before.

The formmail script I use is one of the preinstalled cgi scripts supplied by TCH.

It does use a hidden tag in the html for the "to" field.

 

My previous host had this script set up so that it was only possible to have an address belonging to the same domain in the "to" field (or at least, mail would only work if it was).

 

Anyone know if that's the same with TCH?

 

Cheers,

 

Ali.

[ThumpAZ]

This does look like a vulnerability test to me as well. Very classic with the alphabet in order and then some random characters to bypass the possibility of a text checker.

 

What is looks like they are trying to do is figure out if they are going to be able to send to their SPAM lists in the BCC field, while using you as the From and Reply To addresses.

 

I would talk to Raul or one of the other script wizards here to see what you can get from them about buttoning up the script.

-GG

[ThumpAZ]

I have discussed this with other moderators and they have told me a few things.

 

Mainly that you should have the user visit Ultimate Form Mailer

 

Also, that CGI Email was disabled at some point:

Here is info on that

 

Fixed link above -- TCH-Bruce

Edited February 18, 2004 by TCH-Bruce

[vengavenga]

Thanks for that guys

 

I'll take a look at the script you mention and it install it on all the sites that I've designed for clients.

 

Just realised that on this particular site there's a good chance that it wasn't a formmail form at all - it'll have been submitted through the osCommerce mailing system which uses php sendmail.

 

Am I right in saying that if that's the case, this will just have been a failed attempt?

 

Also - on the subject of the thread that mentions the cgi scripts being permanently disabled, both "formmail clone" and "cgiemail" appear on my cpanel. They do work using the path given in cpanel (/cgi-sys/FormMail.cgi) without me having to upload anything to the cgi-bin myself. Just mentioning it in case they were meant to have been removed by someone and haven't been.

 

Thanks again Thumbs Up

 

Ali

[scotttyz]

The issue I have heard about it that you can include a "\n cc: name@host.com, etc" in the first "form variable" in the email because RFC822 isn't specific about what order the mail headers have to be in, only that the requisite minimum are there. So a spamer could pull the passed variable (form contents) and inlcude a list of cc:........ to your script.

 

IE: (for php)

 

mail ($to$, $subject, $message, $headers)

 

you hard code the to: and headers: fields but the spammer uses the $ subject (or $message) field to pass a:

 

\n cc: name@mail.com;name@mail.com;name@mail.com;name@mail.com;

 

and on in almost any place in your form subbmitted variables.

 

I am working on a php mail script that checks the non hard coded variables for "@" and replaces with "at" That should do it, If I am wrong please poke holes in my theory!!!!

 

Some hosts are already have a big issue with this.