vengavenga Posted February 18, 2004 Share Posted February 18, 2004 One of my clients (dappernippers.com) received 3 or 4 messages yesterday via her formmail "contact us" form. She forwarded one of them onto me: Subject: http://www.dappernippers.com/cgi-sys/formmail.pl (217.158.37.164:80) bcc: imagx09@aol.comLX OO Nh Kd ylaErPMt4R9KE3i3k2Kt K9rAnn 2n qsoH1 uC2IcP TKKm2 iG Glgep UUPT7s7f feJ3qHgbSÿFFFFCCabcdefghijklmnopqrstuvqxyzABC. Date: Tue, 17 Feb 2004 16:59:04 -0500 From: 9uSrC03v@dappernippers.com To: 9uSrC03v@dappernippers.com body: LX OO Nh K d yl aErPMt4R9KE3i3k2Kt K9rAnn 2n qsoH1 uC2IcP TKKm2 iG Glgep UUPT 7 s7f feJ3qHgb SÿFFFFCCabcdefghijklmnopqrstuvqxyzABC Is this something sinister, and is there any risk? Cheers, Ali Quote Link to comment Share on other sites More sharing options...
surefire Posted February 18, 2004 Share Posted February 18, 2004 It looks suspicious to me. The from and to are the same... plus there's a bcc. It might have been an attempt to see if the form mail script on the client's site is vulnerable to hijacking. The acid test of form mail scripts is whether the email recipient addresses are hard coded into the server side code... or if you pass it to the script from a hidden form tag in the html on your form page. If the script requires (or allows!) you to set the recipient email address(es) by sending the email addresses from the form html, then the script is vulnerable and you should use a different one. Even if your code compares the form data recipient email address against a pre-set array of accepted email addresses, there are serious vulnerabilities. The best form mail code is set up by the website owner to send all message to a prearranged set of email addresses. I don't know of a way that a form mail script could be hijacked if the recipients are hardcoded. Quote Link to comment Share on other sites More sharing options...
vengavenga Posted February 18, 2004 Author Share Posted February 18, 2004 hmmm ... this isn't an issue I've had to worry about before. The formmail script I use is one of the preinstalled cgi scripts supplied by TCH. It does use a hidden tag in the html for the "to" field. My previous host had this script set up so that it was only possible to have an address belonging to the same domain in the "to" field (or at least, mail would only work if it was). Anyone know if that's the same with TCH? Cheers, Ali. Quote Link to comment Share on other sites More sharing options...
ThumpAZ Posted February 18, 2004 Share Posted February 18, 2004 This does look like a vulnerability test to me as well. Very classic with the alphabet in order and then some random characters to bypass the possibility of a text checker. What is looks like they are trying to do is figure out if they are going to be able to send to their SPAM lists in the BCC field, while using you as the From and Reply To addresses. I would talk to Raul or one of the other script wizards here to see what you can get from them about buttoning up the script. -GG Quote Link to comment Share on other sites More sharing options...
ThumpAZ Posted February 18, 2004 Share Posted February 18, 2004 (edited) I have discussed this with other moderators and they have told me a few things. Mainly that you should have the user visit Ultimate Form Mailer Also, that CGI Email was disabled at some point: Here is info on that Fixed link above -- TCH-Bruce Edited February 18, 2004 by TCH-Bruce Quote Link to comment Share on other sites More sharing options...
vengavenga Posted February 19, 2004 Author Share Posted February 19, 2004 Thanks for that guys I'll take a look at the script you mention and it install it on all the sites that I've designed for clients. Just realised that on this particular site there's a good chance that it wasn't a formmail form at all - it'll have been submitted through the osCommerce mailing system which uses php sendmail. Am I right in saying that if that's the case, this will just have been a failed attempt? Also - on the subject of the thread that mentions the cgi scripts being permanently disabled, both "formmail clone" and "cgiemail" appear on my cpanel. They do work using the path given in cpanel (/cgi-sys/FormMail.cgi) without me having to upload anything to the cgi-bin myself. Just mentioning it in case they were meant to have been removed by someone and haven't been. Thanks again Thumbs Up Ali Quote Link to comment Share on other sites More sharing options...
scotttyz Posted March 2, 2004 Share Posted March 2, 2004 The issue I have heard about it that you can include a "\n cc: name@host.com, etc" in the first "form variable" in the email because RFC822 isn't specific about what order the mail headers have to be in, only that the requisite minimum are there. So a spamer could pull the passed variable (form contents) and inlcude a list of cc:........ to your script. IE: (for php) mail ($to$, $subject, $message, $headers) you hard code the to: and headers: fields but the spammer uses the $ subject (or $message) field to pass a: \n cc: name@mail.com;name@mail.com;name@mail.com;name@mail.com; and on in almost any place in your form subbmitted variables. I am working on a php mail script that checks the non hard coded variables for "@" and replaces with "at" That should do it, If I am wrong please poke holes in my theory!!!! Some hosts are already have a big issue with this. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.