[Mimedefang] OT: Email web form exploits
Kelson
kelson at speed.net
Fri Sep 9 12:57:49 EDT 2005
Jan Pieter Cornet wrote:
> The best protection is to look for embedded CR or LF characters in
> a field that should not contain such characters, like the Subject,
> To, From or any other field that would end up in a header. If there
> are any, just reject with an error.
>
> You might want to ignore newlines just before the end of string to work
> around some buggy browsers.
What I did on the form handlers I audited after all this started was go
through and remove everything after the first CR or LF in any field that
might be used in a header.
In Perl-speak, that's
$field =~ s/[\r\n].*//;
To test it, I created copies of the forms with all text inputs and
hidden inputs replaced with textareas.
If you use a hidden field, dropdown, or user input for the recipient and
rely on your handler to verify that it matches your domain... don't
forget to verify that it's only got one address. I was seeing things
where they'd changed the recipient from "someone at example.com" to
"probe at attackers-isp.com,someone at example.com" -- which would still match
/\@example\.com$/
--
Kelson Vibber
SpeedGate Communications <www.speed.net>
More information about the MIMEDefang
mailing list