[Mimedefang] OT: Email web form exploits

Chris Gauch cgauch at digicon.net
Fri Sep 9 13:22:21 EDT 2005 

Matthew.van.Eerde wrote:
> 
> Kelson wrote:
> > James Ebright wrote:
> >> Check the URI referrer and only allow the web form to be hit FROM
> >> the URLS that it should be linked to otherwise simply return an
> >> error similar to unauthorized access attempt....
> >
> > Not sufficient.  These are being done using direct hits to port 80,
> > not actual web browsers, so the attacking script can set whatever
> > referrer it wants.
> >
> > I already had referer checks on all the forms that I saw get hit by
> > these probes.
> 
> Set a session variable on the page load and place it in a hidden input.
> On the form action, compare the session variable to the received input.
> If they match, fine.  If not, something's up.
>
> What to do about session timeouts, though... hmm...  Maybe a 1x1 iframe
> with an HTTP Refresh header could keep the session alive so long as the
> browser is on the page...
> 
> If all else fails there's always CAPTCHA.
> 

Our solution (ASP version, implemented by one of our application
developers), is sort of a cheap way out, but it has worked for us.  I'll
paste the code, which could be easily translated to Perl, etc...

----------------
SIMPLE SCRIPT TO BLOCK SPAMING OF FORMMAIL SCRIPS

'INIT LEGIT VAR USED TO REDIRECT
dim legit
legit = "True"

'NOT PASSED FROM FORM - CHECK FOR SPAMMING
'WARNING - THSE FIELDS *MUST* NOT EXIST IN THE ACTUAL FORM!!!!
subjectVar = Request("subject")
mimeVar = Request("MIME-Version")
toVar =  Request("to")
fromVar = Request("from")
bccVar = Request("bcc")

'GET HTTP_REFERER
HTTP_REFERER = Request.ServerVariables("HTTP_REFERER")

'CHECK FAKE FORM FIELDS
if subjectVar <> "" or mimeVar <> "" or toVar <> "" or fromVar <> "" or
bccVar <> "" then
 legit = "False"
end if

'CHECK HTTP_REFERER
if HTTP_REFERER="" or isNull(HTTP_REFERER) = "True" or len(HTTP_REFERER)< 3
then
 legit = "False"
end if

'IS LEGIT NOW FALSE? IF SO, REDIRECT
if legit = "False" then
    response.redirect ("http://0.0.0.0")
end if

---------- end script ----------

It just checks for the typical "forged" fields -- we don't use those
email-related fields in any of our forms (because we hard-code the TO, FROM,
and BCC addresses when we instantiate the SMTP objects themselves), so if we
see a form variable passed that is a "bcc" or "cc" or whatever and it's NOT
BLANK, we reject the form.  

We considered the session variable idea, and it is certainly a good one, but
too time-consuming to implement when considering the dozens of client forms
that we host.

- Chris

More information about the MIMEDefang mailing list