Jackie said:
I have a client that has been receiving garbled feedback
from a FP form on their site. It seems to be a constant
only with AOL browser users. An example of the feedback
is below.
Anyone else having issues with this? And if so, did you
find a solution?
Many thanks!
Sample:
Name:
[email protected]
To:
[email protected]
From:
[email protected]
Subject: 62W8hpe(04ECCD8B,Name)X
Xt3NxkZddJrM
.
This is a malicious probe of a contact form. The perpetrator is a
spamer who is trying to determine whether or not the CGI script
can be used to relay spam email.
The address
[email protected] is a dropbox and the subject line is a
code which identifies the URL which is being tested.
The probe will succeed if the CGI script unwisely trusts the input
data supplied by the user, specifically the string which purports to
be the user's email address, and uses that string verbatim as part
of the headers of an email.
The "email address" string contains several lines, separated by
URL-encoded newline characters, which are valid email header lines.
Thus if the script writes "From: " followed by the string, the email
headers will actually include the lines
From:
[email protected]
To:
[email protected]
From:
[email protected]
Subject: 62W8hpe(04ECCD8B,Name)X
Note the "To:" line, which will deliver the message to the perpetrator's
dropbox in addition to any legitimate addresses specified elsewhere in the
CGI script.
This type of probe is targetted mainly at formmail-like CGI scripts on
Unix systems. I speak from personal experience, having seen this kind
of attack on my own web site. Indeed,
[email protected] probed my web
site only hours ago.
If your client is using the form as the front end to a feedback
script which sends emails, you should review the security of the script
immediately.
David Harper
Cambridge, England
