taint.org: Justin Mason’s Weblog

Apparently, spammers are now exploiting a hole, or holes, in multiple PHP scripts which use the mail() API.

The holes are described at the SecurePHP wiki; basically, the script author inserts CGI fields directly into a message template without stripping newlines, and this allows attackers to create new headers, take over the message body, and generally take over the mail message and destinations entirely.

Funnily enough, these are the same holes Ronald F. Guilmette and I found in FormMail 1.9, and described in our Jan 2002 advisory Anonymous Mail Forwarding Vulnerabilities in FormMail 1.9 (PDF) on page 10, Exploitation of email and realname CGI Parameters. Ah, plus ca change…

Worth noting that perl’s venerable taint checking would have spotted these, if it were used.

Tags: email, exploits, formmail, php, security, smtp, vulnerabilities

Myself and Ronald F. Guilmette co-wrote an advisory on vulnerabilities in FormMail. Here it is, archived from RFG’s bugtraq posting:

Anonymous Mail Forwarding Vulnerabilities in FormMail 1.9

By manipulating inputs to the FormMail CGI script, remote users may abuse the functionality provided by FormMail to cause the local mail server on the same (web) server system to send arbi- trary e-mail messages to arbitrary e-mail destination addresses. Such e-mail messages may contain real or forged sender e-mail addresses (in the From: headers) entirely of the attacker’s choosing. In some cases, the envelope sender addresses of such messages may also be set to arbitrary values by the attacker.

I helped with a few cases where FormMail is vulnerable here, namely the injection of newlines attack.

When this came out, I was in Australia, packing in preparation for a month-long camping trip around Victoria ;) The Lake Catani campsite at Mount Buffalo was amazing. (whoa, compare that page with this e-commerce monstrosity — urgh)

Tags: advisory, anonymous, attacker, bugtraq, formmail, mail, myself, rfg, sender, server

looks like some spammer has read the FormMail advisory I co-wrote with Ronald F. Guilmette; expect to see more spam where the spam message appears before the “Below are the results of your feedback form” line.

Of course, SpamAssassin catches this anyway. ;)

Tags: below, course, feedback, form, formmail, line, message, spam, spamassassin, spammer