[Mimedefang] OT: Email web form exploits
Chris Gauch
cgauch at digicon.net
Fri Sep 9 13:22:21 EDT 2005
Matthew.van.Eerde wrote:
>
> Kelson wrote:
> > James Ebright wrote:
> >> Check the URI referrer and only allow the web form to be hit FROM
> >> the URLS that it should be linked to otherwise simply return an
> >> error similar to unauthorized access attempt....
> >
> > Not sufficient. These are being done using direct hits to port 80,
> > not actual web browsers, so the attacking script can set whatever
> > referrer it wants.
> >
> > I already had referer checks on all the forms that I saw get hit by
> > these probes.
>
> Set a session variable on the page load and place it in a hidden input.
> On the form action, compare the session variable to the received input.
> If they match, fine. If not, something's up.
>
> What to do about session timeouts, though... hmm... Maybe a 1x1 iframe
> with an HTTP Refresh header could keep the session alive so long as the
> browser is on the page...
>
> If all else fails there's always CAPTCHA.
>
Our solution (ASP version, implemented by one of our application
developers), is sort of a cheap way out, but it has worked for us. I'll
paste the code, which could be easily translated to Perl, etc...
----------------
SIMPLE SCRIPT TO BLOCK SPAMING OF FORMMAIL SCRIPS
'INIT LEGIT VAR USED TO REDIRECT
dim legit
legit = "True"
'NOT PASSED FROM FORM - CHECK FOR SPAMMING
'WARNING - THSE FIELDS *MUST* NOT EXIST IN THE ACTUAL FORM!!!!
subjectVar = Request("subject")
mimeVar = Request("MIME-Version")
toVar = Request("to")
fromVar = Request("from")
bccVar = Request("bcc")
'GET HTTP_REFERER
HTTP_REFERER = Request.ServerVariables("HTTP_REFERER")
'CHECK FAKE FORM FIELDS
if subjectVar <> "" or mimeVar <> "" or toVar <> "" or fromVar <> "" or
bccVar <> "" then
legit = "False"
end if
'CHECK HTTP_REFERER
if HTTP_REFERER="" or isNull(HTTP_REFERER) = "True" or len(HTTP_REFERER)< 3
then
legit = "False"
end if
'IS LEGIT NOW FALSE? IF SO, REDIRECT
if legit = "False" then
response.redirect ("http://0.0.0.0")
end if
---------- end script ----------
It just checks for the typical "forged" fields -- we don't use those
email-related fields in any of our forms (because we hard-code the TO, FROM,
and BCC addresses when we instantiate the SMTP objects themselves), so if we
see a form variable passed that is a "bcc" or "cc" or whatever and it's NOT
BLANK, we reject the form.
We considered the session variable idea, and it is certainly a good one, but
too time-consuming to implement when considering the dozens of client forms
that we host.
- Chris
More information about the MIMEDefang
mailing list