Question about abuse of a CGI script

Question about abuse of a CGI script

am 05.02.2006 18:03:21 von Martin Kissner

hello together,

I had a CGI Skript on my mothers website to send email from a html form
(method post) for about two yaers.

The script was quite simple and had no checking of the User input
implemented.
When I wrote the script two years ago, I didn't even know that this is
neccesary.
I used Mail::Mailer to send the input from the form in a nicely formated
html email to my mother's email address.

Now the script was abused by a spammer who sent at least 6000 (probably
far more) spam emails.

I found *perldoc -q "How do I make sure"* which will enable me to secure
my script, but I also have another question:

How can I recieve the exact input of the spammer to my form as email
without giving him the chance to abuse my script. I want to understand,
what he did and how it worked.

Any information will be appreciated.
Thanks in advance

Best regards
Martin


--
perl -e '$S=[[73,116,114,115,31,96],[108,109,114,102,99,112],
[29,77,98,111,105,29],[100,93,95,103,97,110]];
for(0..3){for$s(0..5){print(chr($S->[$_]->[$s]+$_+1))}}'

Re: Question about abuse of a CGI script

am 05.02.2006 18:41:55 von Matt Garrish

"Martin Kissner" wrote in message
news:slrnducbup.rv9.news@maki.homeunix.net...
> hello together,
>
> I had a CGI Skript on my mothers website to send email from a html form
> (method post) for about two yaers.
>
> The script was quite simple and had no checking of the User input
> implemented.
> When I wrote the script two years ago, I didn't even know that this is
> neccesary.

That's a scary statement to confess to... : )

>
> How can I recieve the exact input of the spammer to my form as email
> without giving him the chance to abuse my script. I want to understand,
> what he did and how it worked.
>

It would seem that if you have really secured your script, the person's
method would no longer work. Usually there is nothing special about what the
spammers do. They rely on you using cheap scripts like the one's you get
from Matt's archive, which they can then easily exploit because the source
code is free to look over and the bugs with it well known. Or they look for
obvious exploits like the ability to cc the email to someone and then flood
that field with email addresses.

I don't know how to answer your question except to say you should log every
request to that form with all the parameters submitted until the spammer
hits you again. I don't see how you can distinguish the spammer and allow
that person to run your script but not really execute it, which it sounds
like you want. You might also want to look into measures like captchas,
which will foil all but the most determined hackers.

Matt

Re: Question about abuse of a CGI script

am 05.02.2006 19:01:37 von Jake Peavy

Martin Kissner wrote:
> How can I recieve the exact input of the spammer to my form as email
> without giving him the chance to abuse my script. I want to understand,
> what he did and how it worked.

If you are using CGI.pm (as I hope you are) you could check out either
of the following sections of the module's docs:
- "SAVING THE STATE OF THE SCRIPT TO A FILE"
- "DUMPING OUT ALL THE NAME/VALUE PAIRS"

Combine this with MIME::Lite to send yourself a copy.

I don't know, however, how you will filter "spam" emails from "actual"
emails - this part is up to you... (Regexp::Common::spam = qr{viagra}?
:p)

-jp

Re: Question about abuse of a CGI script

am 05.02.2006 19:57:06 von Martin Kissner

DJ Stunks wrote :
> Martin Kissner wrote:
>> How can I recieve the exact input of the spammer to my form as email
>> without giving him the chance to abuse my script. I want to understand,
>> what he did and how it worked.
>
> If you are using CGI.pm (as I hope you are) you could check out either
> of the following sections of the module's docs:
> - "SAVING THE STATE OF THE SCRIPT TO A FILE"
> - "DUMPING OUT ALL THE NAME/VALUE PAIRS"

I didn't use CGI.pm and I have read that CGI.pm in many cases produces
much overhead.

> Combine this with MIME::Lite to send yourself a copy.
>
> I don't know, however, how you will filter "spam" emails from "actual"
> emails - this part is up to you... (Regexp::Common::spam = qr{viagra}?

The problem is not so much how to filter spam from real mail since I
have renamed the original form an put in some quick'n'dirty filters.
Now I want to set up a form with the original filename and process it in
a way which helps me to understand how the attack of the spammer works.

I will check the docs you posted to see if I will find anything I could
use.
Thanks and Best regards
Martin

--
perl -e '$S=[[73,116,114,115,31,96],[108,109,114,102,99,112],
[29,77,98,111,105,29],[100,93,95,103,97,110]];
for(0..3){for$s(0..5){print(chr($S->[$_]->[$s]+$_+1))}}'

Re: Question about abuse of a CGI script

am 05.02.2006 20:34:25 von Martin Kissner

Matt Garrish wrote :
>
> "Martin Kissner" wrote in message
> news:slrnducbup.rv9.news@maki.homeunix.net...
>> hello together,
>>
>> I had a CGI Skript on my mothers website to send email from a html form
>> (method post) for about two yaers.
>>
>> The script was quite simple and had no checking of the User input
>> implemented.
>> When I wrote the script two years ago, I didn't even know that this is
>> neccesary.
>
> That's a scary statement to confess to... : )

Well, I am an autodidact and sometimes things must be learned the hard
way ;-)
>>
>> How can I recieve the exact input of the spammer to my form as email
>> without giving him the chance to abuse my script. I want to understand,
>> what he did and how it worked.
>>
>
> It would seem that if you have really secured your script, the person's
> method would no longer work.

Up to now I did not really secure the script but I have put in some
filters to prevent the person's method from working. I think this is is
a large scale spammer since he sends mail to far more than 100.000
recipients.

> Usually there is nothing special about what the
> spammers do. They rely on you using cheap scripts like the one's you get
> from Matt's archive, ...

or mine *g*

> ... which they can then easily exploit because the source
> code is free to look over and the bugs with it well known. Or they look for
> obvious exploits like the ability to cc the email to someone and then flood
> that field with email addresses.

Yes, I think so.
Two days before the attack I reallized 5 emails with strange looking
values in the form fields. I afterwards could extract a single Bcc
address which I suppose is controlled by the spammer and is used to
report exploitable mail forms.

> I don't know how to answer your question except to say you should log every
> request to that form with all the parameters submitted until the spammer
> hits you again. I don't see how you can distinguish the spammer and allow
> that person to run your script but not really execute it, which it sounds
> like you want. You might also want to look into measures like captchas,
> which will foil all but the most determined hackers.

Distiguishing the spammer at this point is no problem.
As soon as I rename my email form back and open the filters I
implemented, he hits me over and over again from different IP addresses.
I could collect 10thousands of email addresses from his list because they
are listed in the first input field of my form.

I have already removed any variables from the part of my script which
sets the mailheaders but still he gets through.

What I want is to execute a script which enables me to analyse the
method the spammer uses in order to learn how this works - not because I
want to redo it, but I am interested.
If possible I would like to read the exact code (and other input) he
writes to the input fields of my form.

Best regards
Martin

--
perl -e '$S=[[73,116,114,115,31,96],[108,109,114,102,99,112],
[29,77,98,111,105,29],[100,93,95,103,97,110]];
for(0..3){for$s(0..5){print(chr($S->[$_]->[$s]+$_+1))}}'

Re: Question about abuse of a CGI script

am 05.02.2006 20:42:08 von jwkenne

Martin Kissner wrote:
> hello together,
>
> I had a CGI Skript on my mothers website to send email from a html form
> (method post) for about two yaers.
>
> The script was quite simple and had no checking of the User input
> implemented.
> When I wrote the script two years ago, I didn't even know that this is
> neccesary.
> I used Mail::Mailer to send the input from the form in a nicely formated
> html email to my mother's email address.
>
> Now the script was abused by a spammer who sent at least 6000 (probably
> far more) spam emails.

A device that has worked for me to foil robot spammers is simply to
leave the submit button out of the HTML and create it instead at onload
time, using JavaScript. It won't stop a human, but generally stymies robots.

--
John W. Kennedy
"But now is a new thing which is very old--
that the rich make themselves richer and not poorer,
which is the true Gospel, for the poor's sake."
-- Charles Williams. "Judgement at Chelmsford"

Re: Question about abuse of a CGI script

am 05.02.2006 20:44:33 von Gunnar Hjalmarsson

Martin Kissner wrote:
> What I want is to execute a script which enables me to analyse the
> method the spammer uses in order to learn how this works - not because I
> want to redo it, but I am interested.

If you post the (relevant part of the) script here, somebody will
probably be able to tell you what the problem is.

--
Gunnar Hjalmarsson
Email: http://www.gunnar.cc/cgi-bin/contact.pl

Re: Question about abuse of a CGI script

am 05.02.2006 20:47:16 von 1usa

Martin Kissner wrote in
news:slrnducik2.s8a.news@maki.homeunix.net:

> DJ Stunks wrote :
>> Martin Kissner wrote:
>>> How can I recieve the exact input of the spammer to my form as
>>> email without giving him the chance to abuse my script. I want to
>>> understand, what he did and how it worked.
>>
>> If you are using CGI.pm (as I hope you are) you could check out
>> either of the following sections of the module's docs:
>> - "SAVING THE STATE OF THE SCRIPT TO A FILE"
>> - "DUMPING OUT ALL THE NAME/VALUE PAIRS"
>
> I didn't use CGI.pm and I have read that CGI.pm in many cases produces
> much overhead.

While CGI.pm is not going to automatically solve your problems,
the reason you give above for not using CGI.pm is plain stupid.
Who cares about CGI.pm overhead for an email script?

The question you have to ask yourself is why you want any odd visitor to
your web site to be able to send email to anyone at all even if it is
not large scale spamming.

Take a look at Gunnar Hjalmarsson's CGI::ContactForm:

http://search.cpan.org/~gunnar/CGI-ContactForm-1.30/lib/CGI/ ContactForm.pm

Sinan
--
A. Sinan Unur <1usa@llenroc.ude.invalid>
(reverse each component and remove .invalid for email address)

comp.lang.perl.misc guidelines on the WWW:
http://mail.augustmail.com/~tadmc/clpmisc/clpmisc_guidelines .html

Re: Question about abuse of a CGI script

am 05.02.2006 21:17:43 von xhoster

Martin Kissner wrote:
> DJ Stunks wrote :
> > Martin Kissner wrote:
> >> How can I recieve the exact input of the spammer to my form as email
> >> without giving him the chance to abuse my script. I want to
> >> understand, what he did and how it worked.
> >
> > If you are using CGI.pm (as I hope you are) you could check out either
> > of the following sections of the module's docs:
> > - "SAVING THE STATE OF THE SCRIPT TO A FILE"
> > - "DUMPING OUT ALL THE NAME/VALUE PAIRS"
>
> I didn't use CGI.pm and I have read that CGI.pm in many cases produces
> much overhead.

How polite of you to avoid the use of CGI in order to avoid overhead. Now
the spammers can spam 3.7% faster!

Seriously, how many legitimate hits on your script do you expect to have
each minute? How much overhead will that contribute? Hmmm...

Xho

--
-------------------- http://NewsReader.Com/ --------------------
Usenet Newsgroup Service $9.95/Month 30GB

Re: Question about abuse of a CGI script

am 05.02.2006 21:37:35 von 1usa

"A. Sinan Unur" <1usa@llenroc.ude.invalid> wrote in
news:Xns97619683613C3asu1cornelledu@127.0.0.1:

> Take a look at Gunnar Hjalmarsson's CGI::ContactForm:
>
> http://search.cpan.org/~gunnar/CGI-ContactForm-1.30/lib/CGI/ ContactForm.pm

Actually, I'll take that back ... It looks like CGI::ContactForm
automatically Bcc's the message to the email address entered by
the website visitor. It seems to me, that is a whole through which
spam can be sent to anyone.

Sinan

--
A. Sinan Unur <1usa@llenroc.ude.invalid>
(reverse each component and remove .invalid for email address)

comp.lang.perl.misc guidelines on the WWW:
http://mail.augustmail.com/~tadmc/clpmisc/clpmisc_guidelines .html

Re: Question about abuse of a CGI script

am 05.02.2006 22:27:11 von Martin Kissner

A. Sinan Unur wrote :
> Martin Kissner wrote in

>> I didn't use CGI.pm and I have read that CGI.pm in many cases produces
>> much overhead.

> While CGI.pm is not going to automatically solve your problems,
> the reason you give above for not using CGI.pm is plain stupid.
> Who cares about CGI.pm overhead for an email script?

Well, the 'and' was supposed to imply that the overhead was/is not the
reason for not using CGI.pm, it just encouraged me a little bit.
I am alos concious that my homemade modules probably have far more
overhead than CGI.pm ;-)

It might have been wrong not to use CGI.pm for this case, but I decided
not to use CGI.pm for several reasons. The website is presented in
several languages, uses databases and many templates (with
HTML::Template). Also I use CSS very much.

After I had read perldoc CGI I did not like the syntax
and felt like it might be not so easy to combine all the things I
mentioned above. (Maybe it is for an expierienced perl programmer which I
am not.) To me it looked like the HTML/CSS is not well enough divided
from the perl code (for my needs).

> The question you have to ask yourself is why you want any odd visitor to
> your web site to be able to send email to anyone at all even if it is
> not large scale spamming.

No I don't think so, beause I do not want this.
What I want is to understand how this attack worked and find my own way
to prevent this in the furure.
There is a lot spoken about not to reinvent whe wheel but sometimes
doing so (and making errors) is a good source of understanding and
learning. So please be patient ;-)

Thank you for your feedback and best regards
Martin

--
perl -e '$S=[[73,116,114,115,31,96],[108,109,114,102,99,112],
[29,77,98,111,105,29],[100,93,95,103,97,110]];
for(0..3){for$s(0..5){print(chr($S->[$_]->[$s]+$_+1))}}'

Re: Question about abuse of a CGI script

am 05.02.2006 22:45:42 von Gunnar Hjalmarsson

A. Sinan Unur wrote:
> A. Sinan Unur wrote:
>>Take a look at Gunnar Hjalmarsson's CGI::ContactForm:
>>
>>http://search.cpan.org/~gunnar/CGI-ContactForm-1.30/lib/CG I/ContactForm.pm
>
> Actually, I'll take that back ... It looks like CGI::ContactForm
> automatically Bcc's the message to the email address entered by
> the website visitor. It seems to me, that is a whole through which
> spam can be sent to anyone.

Well, yes, if you choose to look at it that way. I consider it to be a
feature, serving two purposes:

1. The sender receives a copy of the message s/he sent.

2. If the stated address turns out to be invalid, the form owner
receives the resulting return message, letting him/her know that there
is no point in replying.

The script only allows one submitted email address, so if a spammer
would abuse it, the form owner would receive a copy of each spam
message. It should also be noted that those copies include
X-Originating-IP headers, letting you deny access to the script from
those IP addresses.

Needless to say, I have been using a few CGI::ContactForm generated
forms myself for quite a while, and the kind of abuse you are warning
for simply does not happen.

Yes, spammers must be taken into account when designing mail apps, but I
refuse to be scared to such an extent that the spammers effectively
dictate every aspect of my design.

--
Gunnar Hjalmarsson
Email: http://www.gunnar.cc/cgi-bin/contact.pl

Re: Question about abuse of a CGI script

am 05.02.2006 23:12:34 von 1usa

Martin Kissner wrote in
news:slrnducrdf.s8a.news@maki.homeunix.net:

> A. Sinan Unur wrote :
>> Martin Kissner wrote in
>
>>> I didn't use CGI.pm and I have read that CGI.pm in many cases
>>> produces much overhead.
>
>> While CGI.pm is not going to automatically solve your problems,
>> the reason you give above for not using CGI.pm is plain stupid.
>> Who cares about CGI.pm overhead for an email script?
>
> Well, the 'and' was supposed to imply that the overhead was/is not the
> reason for not using CGI.pm, it just encouraged me a little bit.
> I am alos concious that my homemade modules probably have far more
> overhead than CGI.pm ;-)
>
> It might have been wrong not to use CGI.pm for this case, but I
> decided not to use CGI.pm for several reasons. The website is
> presented in several languages, uses databases and many templates
> (with HTML::Template). Also I use CSS very much.
>
> After I had read perldoc CGI I did not like the syntax
> and felt like it might be not so easy to combine all the things I
> mentioned above. (Maybe it is for an expierienced perl programmer
> which I am not.) To me it looked like the HTML/CSS is not well enough
> divided from the perl code (for my needs).

You do not have to use the HTML generation methods of CGI.pm to benefit
from it. In fact, I almost never do.

If the fact that the HTML generation methods are there when you use
CGI.pm, then you could switch to CGI::Minimal:

http://search.cpan.org/~snowhare/CGI-Minimal-1.24/lib/CGI/Mi nimal.pod

>> The question you have to ask yourself is why you want any odd visitor
>> to your web site to be able to send email to anyone at all even if it
>> is not large scale spamming.
>
> No I don't think so, beause I do not want this.

Then set up the script to only to send to one person.

> What I want is to understand how this attack worked and find my own
> way to prevent this in the furure.

One way would be for you to post your code here so we can explain what
is going on.

Another option is to log every request.

> So please be patient ;-)

Have you seen the posting guidelines. Especially the part about posting
code?

Sinan

--
A. Sinan Unur <1usa@llenroc.ude.invalid>
(reverse each component and remove .invalid for email address)

comp.lang.perl.misc guidelines on the WWW:
http://mail.augustmail.com/~tadmc/clpmisc/clpmisc_guidelines .html

Re: Question about abuse of a CGI script

am 05.02.2006 23:24:25 von Martin Kissner

Gunnar Hjalmarsson wrote :
> Martin Kissner wrote:
>> What I want is to execute a script which enables me to analyse the
>> method the spammer uses in order to learn how this works - not because I
>> want to redo it, but I am interested.
>
> If you post the (relevant part of the) script here, somebody will
> probably be able to tell you what the problem is.

Yes, absolutely.
I did not do so in the first place for two reasons.

1. I am not really sure which part is relevant.
2. It took me some time to simplify the script and remove several
conditions etc.


I hoped someone might be able to point me to the right direction without
seeing code.

Now her comes the code.
And, yes I already know that it was bad to process the user input
unchecked.
Thanks for looking at the code, I hope i have provided appropriate
information.

Best regards
Martin

--- code ---

my %userinput;
sub process {
%userinput = parse_input($_[1]);
generate_output() if send_mail();
}

sub send_mail {
use Mail::Mailer;
my $mailer = Mail::Mailer->new;
$mailer->open ({
To => 'mail@thedomain.tld',
# The spammers script still worked after I had replaced the variables
# with fixed values
From => "$userinput{name} <$userinput{from}>",
'Content-Type' => 'text/html',
Subject => "My Subject",
});
print $mailer <<"END"
...

$userinput{name}

$userinput{otherfield}
...
END
$mailer->close;
}

sub parse_input {
# I hope I did not mess this up when I simplified it
my $input = shift;
my %cgihash;

my @pairs =split(/&/,$input);
foreach my $data (@pairs) {
$data =~ s/\+/ /go;
($key, $value) = split(/=/,$data);
$key =~ s/\%(..)/pack("c",hex($1))/ge;
$value =~ s/\%(..)/pack("c",hex($1))/ge;
$cgihash{$key} = $value;
}
return %cgihash;
}

--- code ---

--
perl -e '$S=[[73,116,114,115,31,96],[108,109,114,102,99,112],
[29,77,98,111,105,29],[100,93,95,103,97,110]];
for(0..3){for$s(0..5){print(chr($S->[$_]->[$s]+$_+1))}}'

Re: Question about abuse of a CGI script

am 05.02.2006 23:28:17 von 1usa

Gunnar Hjalmarsson wrote in
news:44n9ttF2n4quU1@individual.net:

> A. Sinan Unur wrote:
>> A. Sinan Unur wrote:
>>>Take a look at Gunnar Hjalmarsson's CGI::ContactForm:
>>>
>>>http://search.cpan.org/~gunnar/CGI-ContactForm-
1.30/lib/CGI/ContactFor
>>>m.pm
>>
>> Actually, I'll take that back ... It looks like CGI::ContactForm
>> automatically Bcc's the message to the email address entered by
>> the website visitor. It seems to me, that is a whole through which
>> spam can be sent to anyone.
>
> Well, yes, if you choose to look at it that way. I consider it to be a
> feature, serving two purposes:
>
> 1. The sender receives a copy of the message s/he sent.
>
> 2. If the stated address turns out to be invalid, the form owner
> receives the resulting return message, letting him/her know that there
> is no point in replying.
>
> The script only allows one submitted email address, so if a spammer
> would abuse it, the form owner would receive a copy of each spam
> message. It should also be noted that those copies include
> X-Originating-IP headers, letting you deny access to the script from
> those IP addresses.
>
> Needless to say, I have been using a few CGI::ContactForm generated
> forms myself for quite a while, and the kind of abuse you are warning
> for simply does not happen.

My retraction was made given that the OP has already been identified by
some spammer as a target.

Clearly, the features you are referring to would enable the early
diagnosis of the problem, and tracking of the spammer. Although, in case
anyone decides to abuse the form, I would not want to wake up to a few
thousand extra spam messages in my mailbox.

I also have some personal experience with some IT people just not
thinking this can ever be a serious problem, and then shutting down
servers just to cover up their mistakes. I probably should not go into
more detail here.

> Yes, spammers must be taken into account when designing mail apps, but
> I refuse to be scared to such an extent that the spammers effectively
> dictate every aspect of my design.

IMHO, a fundamental aspect of that design ought to preclude relaying
spam for third parties.

If people really want to keep a copy of their messages to you, you can
give them your email address, and use a spam filter. Or, show them a
copy of the message that was sent.

Sinan

--
A. Sinan Unur <1usa@llenroc.ude.invalid>
(reverse each component and remove .invalid for email address)

comp.lang.perl.misc guidelines on the WWW:
http://mail.augustmail.com/~tadmc/clpmisc/clpmisc_guidelines .html

Re: Question about abuse of a CGI script

am 05.02.2006 23:34:40 von 1usa

Martin Kissner wrote in
news:slrnducuop.s8a.news@maki.homeunix.net:

> Gunnar Hjalmarsson wrote :
>> Martin Kissner wrote:
>>> What I want is to execute a script which enables me to analyse the
>>> method the spammer uses in order to learn how this works - not
>>> because I want to redo it, but I am interested.
>>
>> If you post the (relevant part of the) script here, somebody will
>> probably be able to tell you what the problem is.
>
> Yes, absolutely.
> I did not do so in the first place for two reasons.
>
> 1. I am not really sure which part is relevant.
> 2. It took me some time to simplify the script and remove several
> conditions etc.

Have you seen the posting guidelines? Especially the part about posting
code?

> I hoped someone might be able to point me to the right direction
> without seeing code.

How? Are we mindreaders?

use strict;
use warnings;

missing (oh, and don't tell me you did not include those because someone
told you they would slow your script down).

> my %userinput;
> sub process {
> %userinput = parse_input($_[1]);
> generate_output() if send_mail();
> }
>
> sub send_mail {
> use Mail::Mailer;
> my $mailer = Mail::Mailer->new;
> $mailer->open ({
> To => 'mail@thedomain.tld',
> # The spammers script still worked after I had replaced the variables
> # with fixed values
> From => "$userinput{name} <$userinput{from}>",

So, what happens if $userinput{name} contains:

aaa@example.com,\naab@example.com,\naac@example.com ...

> 'Content-Type' => 'text/html',
> Subject => "My Subject",
> });
> print $mailer <<"END"
> ...
>
$userinput{name}
>
$userinput{otherfield}
> ...

I thought you used templates and such.

> END
> $mailer->close;
> }
>
> sub parse_input {
> # I hope I did not mess this up when I simplified it
> my $input = shift;
> my %cgihash;
>
> my @pairs =split(/&/,$input);
> foreach my $data (@pairs) {
> $data =~ s/\+/ /go;

Why the 'o' switch?


> ($key, $value) = split(/=/,$data);
> $key =~ s/\%(..)/pack("c",hex($1))/ge;
> $value =~ s/\%(..)/pack("c",hex($1))/ge;
> $cgihash{$key} = $value;
> }
> return %cgihash;

No comment.

Sinan
--
A. Sinan Unur <1usa@llenroc.ude.invalid>
(reverse each component and remove .invalid for email address)

comp.lang.perl.misc guidelines on the WWW:
http://mail.augustmail.com/~tadmc/clpmisc/clpmisc_guidelines .html

Re: Question about abuse of a CGI script

am 05.02.2006 23:38:26 von Martin Kissner

Gunnar Hjalmarsson wrote :
> A. Sinan Unur wrote:
>> A. Sinan Unur wrote:
>>>Take a look at Gunnar Hjalmarsson's CGI::ContactForm:
>>>
>>>http://search.cpan.org/~gunnar/CGI-ContactForm-1.30/lib/C GI/ContactForm.pm
>>
>> Actually, I'll take that back ... It looks like CGI::ContactForm
>> automatically Bcc's the message to the email address entered by
>> the website visitor. It seems to me, that is a whole through which
>> spam can be sent to anyone.
>
> Well, yes, if you choose to look at it that way. I consider it to be a
> feature, serving two purposes:
>
> 1. The sender receives a copy of the message s/he sent.
>
> 2. If the stated address turns out to be invalid, the form owner
> receives the resulting return message, letting him/her know that there
> is no point in replying.

This is what happend to my mother only that it was not one invalid
address but over 6000 within a few hours.
Needless to say that she was close to a heart attack :-)
I had to delete all of these "Mail delivery failed" over a VNC
connection to her computer.
*(To avoid misunderstanding: I have not used Gunnar Hjalmarsson module)*

> Yes, spammers must be taken into account when designing mail apps, but I
> refuse to be scared to such an extent that the spammers effectively
> dictate every aspect of my design.

Thank you very much for writing this. Although I am on a totally
different level than you are, this encourages me to go on searching my
own way of doing things. ;-)

Best regards
Martin

btw: I really appreciate the feedback of the regulars and other
expierienced perl programmers.
This group has been helpful to me many times i the past.

--
perl -e '$S=[[73,116,114,115,31,96],[108,109,114,102,99,112],
[29,77,98,111,105,29],[100,93,95,103,97,110]];
for(0..3){for$s(0..5){print(chr($S->[$_]->[$s]+$_+1))}}'

Re: Question about abuse of a CGI script

am 05.02.2006 23:50:39 von Gunnar Hjalmarsson

Martin Kissner wrote:
>
> $mailer->open ({
> To => 'mail@thedomain.tld',
> # The spammers script still worked after I had replaced the variables
> # with fixed values
> From => "$userinput{name} <$userinput{from}>",

What would happen if $userinput{name} consists of the string that this
expression results in:

qq|faked\@example.com\nCc: victim1\@example.com, victim2\@example.com,|

?

--
Gunnar Hjalmarsson
Email: http://www.gunnar.cc/cgi-bin/contact.pl

Re: Question about abuse of a CGI script

am 06.02.2006 00:09:02 von Gunnar Hjalmarsson

A. Sinan Unur wrote:
>>Needless to say, I have been using a few CGI::ContactForm generated
>>forms myself for quite a while, and the kind of abuse you are warning
>>for simply does not happen.
>
> My retraction was made given that the OP has already been identified by
> some spammer as a target.

I was talking about CGI::ContactForm, which only allows one submitted
address. The OP's script allows for just about anything, including
linefeed characters in the message header fields.

> Clearly, the features you are referring to would enable the early
> diagnosis of the problem, and tracking of the spammer. Although, in case
> anyone decides to abuse the form, I would not want to wake up to a few
> thousand extra spam messages in my mailbox.

Neither would I, and again, it has never happened to me, and nobody else
has reported anything like it.

> If people really want to keep a copy of their messages to you, you can
> give them your email address, and use a spam filter.

You must be joking. ;-)

> Or, show them a copy of the message that was sent.

Sure, that would be an alternative.

--
Gunnar Hjalmarsson
Email: http://www.gunnar.cc/cgi-bin/contact.pl

Re: Question about abuse of a CGI script

am 06.02.2006 01:19:48 von Martin Kissner

A. Sinan Unur wrote :
> Martin Kissner wrote in
> news:slrnducuop.s8a.news@maki.homeunix.net:
>
>> Gunnar Hjalmarsson wrote :
>>> Martin Kissner wrote:
>>>> What I want is to execute a script which enables me to analyse the
>>>> method the spammer uses in order to learn how this works - not
>>>> because I want to redo it, but I am interested.
>>>
>>> If you post the (relevant part of the) script here, somebody will
>>> probably be able to tell you what the problem is.
>>
>> Yes, absolutely.
>> I did not do so in the first place for two reasons.
>>
>> 1. I am not really sure which part is relevant.
>> 2. It took me some time to simplify the script and remove several
>> conditions etc.
>
> Have you seen the posting guidelines? Especially the part about posting
> code?

Yes, I guess you are talking about the part which suggests to post a
small but working script which can be copied and pasted and which
demonstrates the problem.
Sorry, but I was not able to provide such a script because the relevant
code is included in a selfmade module which I have admittedly designed
not optimally. It was my first somewhat larger module to write.

>> I hoped someone might be able to point me to the right direction
>> without seeing code.
>
> How? Are we mindreaders?

No, but I thought if I'd admit that I processed uncheckt userinput from
the form maybe someone could point out some examples how this input can
make my script do bad things (like execute external code).

> use strict;
> use warnings;
>
> missing (oh, and don't tell me you did not include those because someone
> told you they would slow your script down).

No, I won't
Actuallly I use these two always. I forgot to mention this. Sorry.
In fact I have learned this from this group and have read you pointing
it out many many times.

>> my %userinput;
>> sub process {
>> %userinput = parse_input($_[1]);
>> generate_output() if send_mail();
>> }
>>
>> sub send_mail {
>> use Mail::Mailer;
>> my $mailer = Mail::Mailer->new;
>> $mailer->open ({
>> To => 'mail@thedomain.tld',
>> # The spammers script still worked after I had replaced the variables
>> # with fixed values
>> From => "$userinput{name} <$userinput{from}>",
>
> So, what happens if $userinput{name} contains:
>
> aaa@example.com,\naab@example.com,\naac@example.com ...

Then the mail which is sent to the reciever of the email contains some
additional sendere:
aaa@example.com, naab@example.com and naac@example.com

It is a little weired to recieve one _single_ email from _four_ senders
but this is not critical yet (it's not good either, of course).

I tried adding mail@example.com,\nBcc:secret@mailaddress.com to see if
I could use this to send myself a Bcc but it just added another sender.

I also tried putting in some code with different modifications but none
of them worked (Something like ">\n; [some perl code here]").

>
>> 'Content-Type' => 'text/html',
>> Subject => "My Subject",
>> });
>> print $mailer <<"END"
>> ...
>>
$userinput{name}
>>
$userinput{otherfield}
>> ...
>
> I thought you used templates and such.

Yes, is this relevant?
I didn't think so but I might be wrong.

>> END
>> $mailer->close;
>> }
>>
>> sub parse_input {
>> # I hope I did not mess this up when I simplified it
>> my $input = shift;
>> my %cgihash;
>>
>> my @pairs =split(/&/,$input);
>> foreach my $data (@pairs) {
>> $data =~ s/\+/ /go;
>
> Why the 'o' switch?

I have taken this from a book. The book says it saves cpu time because
the pattern is only compiled once. It suggests to always use it in loops
unless the pattern changes.

>> ($key, $value) = split(/=/,$data);
>> $key =~ s/\%(..)/pack("c",hex($1))/ge;
>> $value =~ s/\%(..)/pack("c",hex($1))/ge;
>> $cgihash{$key} = $value;
>> }
>> return %cgihash;
>
> No comment.

Hm, - okay (wondering silently).

I have realized that the userinput can change the desired result but I
have not yet found out, how it can change the recipient or add
additional code to the script.

Any additional help will be gladly appreciated
Best regards
Martin


--
perl -e '$S=[[73,116,114,115,31,96],[108,109,114,102,99,112],
[29,77,98,111,105,29],[100,93,95,103,97,110]];
for(0..3){for$s(0..5){print(chr($S->[$_]->[$s]+$_+1))}}'

Re: Question about abuse of a CGI script

am 06.02.2006 01:38:08 von 1usa

Martin Kissner wrote in
news:slrndud5h4.s8a.news@maki.homeunix.net:

> A. Sinan Unur wrote :
>> Martin Kissner wrote in
>> news:slrnducuop.s8a.news@maki.homeunix.net:
>>
>>> Gunnar Hjalmarsson wrote :
>>>> Martin Kissner wrote:
>>>>> What I want is to execute a script which enables me to analyse the
>>>>> method the spammer uses in order to learn how this works - not
>>>>> because I want to redo it, but I am interested.
>>>>
>>>> If you post the (relevant part of the) script here, somebody will
>>>> probably be able to tell you what the problem is.
>>>
>>> Yes, absolutely.
>>> I did not do so in the first place for two reasons.
>>>
>>> 1. I am not really sure which part is relevant.
>>> 2. It took me some time to simplify the script and remove several
>>> conditions etc.
>>
>> Have you seen the posting guidelines? Especially the part about
>> posting code?
>
> Yes, I guess you are talking about the part which suggests to post a
> small but working script which can be copied and pasted and which
> demonstrates the problem.

Yes.

....

>> aaa@example.com,\naab@example.com,\naac@example.com ...
>
> Then the mail which is sent to the reciever of the email contains some
> additional sendere:
> aaa@example.com, naab@example.com and naac@example.com

Are you purposefully being dense here? \n is a newline. OK, I forgot to
type the Bcc: before the second address but still, the point I was
trying to make should have been obvious. See:

D:\Home\asu1\UseNet\clpmisc\mail> cat m.pl
#!/usr/bin/perl

use strict;
use warnings;

use Mail::Mailer;

my $from = <<'FROM';
aaa@example.com
Bcc: bbb@example.com, ccc@example.com, ddd@example.com
FROM

my $mailer = Mail::Mailer->new('testfile');

$mailer->open({
To => 'you@example.com',
From => $from,
Subject => 'Test',
});

$mailer->close;


D:\Home\asu1\UseNet\clpmisc\mail> cat mailer.testfile

===
test 1 Sun Feb 5 19:33:35 2006
to: you@example.com

Subject: Test
To: you@example.com
From: aaa@example.com
Bcc: bbb@example.com, ccc@example.com, ddd@example.com

>>> print $mailer <<"END"
>>> ...
>>>
$userinput{name}
>>>
$userinput{otherfield}
>>> ...
>>
>> I thought you used templates and such.
>
> Yes, is this relevant?
> I didn't think so but I might be wrong.

It is, because that was your excuse for not using CGI.pm

Sinan
--
A. Sinan Unur <1usa@llenroc.ude.invalid>
(reverse each component and remove .invalid for email address)

comp.lang.perl.misc guidelines on the WWW:
http://mail.augustmail.com/~tadmc/clpmisc/clpmisc_guidelines .html

Re: Question about abuse of a CGI script

am 06.02.2006 01:38:47 von Tintin

"Martin Kissner" wrote in message
news:slrnducrdf.s8a.news@maki.homeunix.net...
> It might have been wrong not to use CGI.pm for this case, but I decided
> not to use CGI.pm for several reasons. The website is presented in
> several languages, uses databases and many templates (with
> HTML::Template). Also I use CSS very much.

Which doesn't preclude CGI.pm at all.

>
> After I had read perldoc CGI I did not like the syntax
> and felt like it might be not so easy to combine all the things I
> mentioned above. (Maybe it is for an expierienced perl programmer which I
> am not.) To me it looked like the HTML/CSS is not well enough divided
> from the perl code (for my needs).

Most people don't use the CGI module to generate their HTML. In fact, one
of the big complaints about CGI.pm is the fact it tries to do too much
outside the scope of CGI parsing.

CGI module works very well with most templating systems (or even hand coded
ones).

Re: Question about abuse of a CGI script

am 06.02.2006 01:54:39 von Martin Kissner

Gunnar Hjalmarsson wrote :
> Martin Kissner wrote:
>>
>> $mailer->open ({
>> To => 'mail@thedomain.tld',
>> # The spammers script still worked after I had replaced the variables
>> # with fixed values
>> From => "$userinput{name} <$userinput{from}>",
>
> What would happen if $userinput{name} consists of the string that this
> expression results in:
>
> qq|faked\@example.com\nCc: victim1\@example.com, victim2\@example.com,|

Then some more people will get mail than intented.
My question is: How did they do it?
I tryed on my local webserver evereything I can think of, but the only
result I get is a few additional senders.

Best regards
Martin

--
perl -e '$S=[[73,116,114,115,31,96],[108,109,114,102,99,112],
[29,77,98,111,105,29],[100,93,95,103,97,110]];
for(0..3){for$s(0..5){print(chr($S->[$_]->[$s]+$_+1))}}'

Re: Question about abuse of a CGI script

am 06.02.2006 02:03:46 von Gunnar Hjalmarsson

Martin Kissner wrote:
> Gunnar Hjalmarsson wrote :
>>What would happen if $userinput{name} consists of the string that this
>>expression results in:
>>
>>qq|faked\@example.com\nCc: victim1\@example.com, victim2\@example.com,|
>
> Then some more people will get mail than intented.
> My question is: How did they do it?

Either they used an own, modified form, or - more likely - a script that
emulates a form submission. With Perl you can write such a script using
e.g. the LWP family of modules.

--
Gunnar Hjalmarsson
Email: http://www.gunnar.cc/cgi-bin/contact.pl

Re: Question about abuse of a CGI script

am 06.02.2006 02:04:01 von 1usa

Martin Kissner wrote in
news:slrndud7if.s8a.news@maki.homeunix.net:

> Gunnar Hjalmarsson wrote :
>> Martin Kissner wrote:
>>>
>>> $mailer->open ({
>>> To => 'mail@thedomain.tld',
>>> # The spammers script still worked after I had replaced the
>>> variables # with fixed values
>>> From => "$userinput{name} <$userinput{from}>",
>>
>> What would happen if $userinput{name} consists of the string that
>> this expression results in:
>>
>> qq|faked\@example.com\nCc: victim1\@example.com,
>> victim2\@example.com,|
>
> Then some more people will get mail than intented.

You are missing the point. The spammer does not type these things in by
hand.

> My question is: How did they do it?
> I tryed on my local webserver evereything I can think of, but the only
> result I get is a few additional senders.

Submit the form using WWW::Mechanize.

At this point, I would recommend that you give up. Don't put a mail form
on the web. Just put your mom's email address there, and tell your mom
to use a spam filter[1].

You do not realize the harm you are doing to hundreds of thousands of
people being targetted by the spammer. In fact, I sense from you an
attitude of "who cares" regarding the victims.

[1] Yes, I am dead serious. Maybe after a few months of spam, you
realize the harm you are doing.

Sinan
--
A. Sinan Unur <1usa@llenroc.ude.invalid>
(reverse each component and remove .invalid for email address)

comp.lang.perl.misc guidelines on the WWW:
http://mail.augustmail.com/~tadmc/clpmisc/clpmisc_guidelines .html

Re: Question about abuse of a CGI script

am 06.02.2006 02:47:28 von Martin Kissner

A. Sinan Unur wrote :
> Martin Kissner wrote in
> news:slrndud5h4.s8a.news@maki.homeunix.net:
>
>> A. Sinan Unur wrote :
>>> Martin Kissner wrote in
>>> news:slrnducuop.s8a.news@maki.homeunix.net:


>>> aaa@example.com,\naab@example.com,\naac@example.com ...
>>
>> Then the mail which is sent to the reciever of the email contains some
>> additional sendere:
>> aaa@example.com, naab@example.com and naac@example.com
>
> Are you purposefully being dense here? \n is a newline. OK, I forgot to
> type the Bcc: before the second address but still, the point I was
> trying to make should have been obvious.

To me it is obvious *what* can be done but not *how* it is done.
Of course I tried
myoneaddress@example.com,\nBcc:myotheraddress@example.com
but I didn't recieve a Bcc mail to myotheraddress.
I recieved mail to the address coded in the script with some "weired"
looking senders.

I also trid the code you posted below. Here is my result:
|
| ===
| test 1 Mon Feb 6 02:30:09 2006
| to: you@example.com
|
| Subject: Test
| To: you@example.com
| From: aaa@example.com Bcc: bbb@example.com, ccc@example.com,
| ddd@example.com
|

The Bcc does not skip to the next line. (???)
I have no idea why but I will test this on a different computer with
FreeBSD on it.
This is Mac OS X / Darwin.

[...]

>>> I thought you used templates and such.
>>
>> Yes, is this relevant?
>> I didn't think so but I might be wrong.
>
> It is, because that was your excuse for not using CGI.pm

I didn't feel like I have to excuse myself, I was just explaning my
reasons for my decison.
Actually the website on which the script runs contains about 300 pages
generated by my cgi skript. The HTML email was not the reason to use
HTML::Template and also it was not the reason for not using CGI.pm
Also it doesn't even make sense to generate the mail with
HTML::Template. I was just curious if I could combine Mail::Mailer and
HTML::Template. This also shows that the overhead of CGI.pm is not the
reason for not using it ;-)

If I had known that this is important I had explained this mor
thouroughly.

Best regards
Martin

--
perl -e '$S=[[73,116,114,115,31,96],[108,109,114,102,99,112],
[29,77,98,111,105,29],[100,93,95,103,97,110]];
for(0..3){for$s(0..5){print(chr($S->[$_]->[$s]+$_+1))}}'

Re: Question about abuse of a CGI script

am 06.02.2006 02:52:45 von Martin Kissner

Tintin wrote :
>
> "Martin Kissner" wrote in message
> news:slrnducrdf.s8a.news@maki.homeunix.net...
>> It might have been wrong not to use CGI.pm for this case, but I decided
>> not to use CGI.pm for several reasons. The website is presented in
>> several languages, uses databases and many templates (with
>> HTML::Template). Also I use CSS very much.
>
> Which doesn't preclude CGI.pm at all.

I do not deny this.
I myself, however, didn't feel comfortable with it.

[...]

> CGI module works very well with most templating systems (or even hand coded
> ones).

Maybe I will take another look at it after this.

Best regards
Martin

--
perl -e '$S=[[73,116,114,115,31,96],[108,109,114,102,99,112],
[29,77,98,111,105,29],[100,93,95,103,97,110]];
for(0..3){for$s(0..5){print(chr($S->[$_]->[$s]+$_+1))}}'

Re: Question about abuse of a CGI script

am 06.02.2006 02:55:40 von Martin Kissner

Gunnar Hjalmarsson wrote :
> Martin Kissner wrote:
>> Gunnar Hjalmarsson wrote :
>>>What would happen if $userinput{name} consists of the string that this
>>>expression results in:
>>>
>>>qq|faked\@example.com\nCc: victim1\@example.com, victim2\@example.com,|
>>
>> Then some more people will get mail than intented.
>> My question is: How did they do it?
>
> Either they used an own, modified form, or - more likely - a script that
> emulates a form submission. With Perl you can write such a script using
> e.g. the LWP family of modules.

Okay.
Am I right if I suppose that such a script contacts the form on my
website, fills in some values into my fields and then submits the form?

--
perl -e '$S=[[73,116,114,115,31,96],[108,109,114,102,99,112],
[29,77,98,111,105,29],[100,93,95,103,97,110]];
for(0..3){for$s(0..5){print(chr($S->[$_]->[$s]+$_+1))}}'

Re: Question about abuse of a CGI script

am 06.02.2006 03:06:22 von 1usa

Martin Kissner wrote in
news:slrndud5h4.s8a.news@maki.homeunix.net:

> A. Sinan Unur wrote :
>> Martin Kissner wrote in
>> news:slrnducuop.s8a.news@maki.homeunix.net:
>>
....
>>> foreach my $data (@pairs) {
>>> $data =~ s/\+/ /go;
>>
>> Why the 'o' switch?
>
> I have taken this from a book. The book says it saves cpu time because
> the pattern is only compiled once. It suggests to always use it in
> loops unless the pattern changes.

Read the docs, and throw that book out.

Also, involving the Regex engine is completely unnecessary here.

#!/usr/bin/perl

use strict;
use warnings;

my $s = q{This+is+a+test};
$s =~ tr/+/ /;

print "$s\n";
__END__

--
A. Sinan Unur <1usa@llenroc.ude.invalid>
(reverse each component and remove .invalid for email address)

comp.lang.perl.misc guidelines on the WWW:
http://mail.augustmail.com/~tadmc/clpmisc/clpmisc_guidelines .html

Re: Question about abuse of a CGI script

am 06.02.2006 03:08:02 von Martin Kissner

A. Sinan Unur wrote :
> Martin Kissner wrote in
> news:slrndud7if.s8a.news@maki.homeunix.net:
>
>> Gunnar Hjalmarsson wrote :

>>> What would happen if $userinput{name} consists of the string that
>>> this expression results in:
>>>
>>> qq|faked\@example.com\nCc: victim1\@example.com,
>>> victim2\@example.com,|
>>
>> Then some more people will get mail than intented.
>
> You are missing the point. The spammer does not type these things in by
> hand.

Next time I will use some irony tags ;)

>
>> My question is: How did they do it?
>> I tryed on my local webserver evereything I can think of, but the only
>> result I get is a few additional senders.
>
> Submit the form using WWW::Mechanize.
>
> At this point, I would recommend that you give up. Don't put a mail form
> on the web. Just put your mom's email address there, and tell your mom
> to use a spam filter[1].

No, I won't (sorry);

> You do not realize the harm you are doing to hundreds of thousands of
> people being targetted by the spammer. In fact, I sense from you an
> attitude of "who cares" regarding the victims.

Not at all, but if I give up I will not be able to learn how to do it
right.
Maybe you missed the fact that I have changed my script so the actual
spammer is not able to use it any more.
Also I am here mainly to get an idea how people can abuse scripts which
are so - I admit - poorly written as mine in order to avoid this in the
future.
As I mentioned before, I am an autodidact and sometimes I will some
time to understand how things go but I have decided to master this.

Best regards
Martin

--
perl -e '$S=[[73,116,114,115,31,96],[108,109,114,102,99,112],
[29,77,98,111,105,29],[100,93,95,103,97,110]];
for(0..3){for$s(0..5){print(chr($S->[$_]->[$s]+$_+1))}}'

Re: Question about abuse of a CGI script

am 06.02.2006 03:08:22 von Gunnar Hjalmarsson

Martin Kissner wrote:
> Gunnar Hjalmarsson wrote :
>>Either they used an own, modified form, or - more likely - a script that
>>emulates a form submission. With Perl you can write such a script using
>>e.g. the LWP family of modules.
>
> Okay.
> Am I right if I suppose that such a script contacts the form on my
> website, fills in some values into my fields and then submits the form?

No. Such a script doesn't care about your form. It passes the values
directly to your script.

--
Gunnar Hjalmarsson
Email: http://www.gunnar.cc/cgi-bin/contact.pl

Re: Question about abuse of a CGI script

am 06.02.2006 03:14:45 von Martin Kissner

Gunnar Hjalmarsson wrote :
> Martin Kissner wrote:
>> Gunnar Hjalmarsson wrote :
>>>Either they used an own, modified form, or - more likely - a script that
>>>emulates a form submission. With Perl you can write such a script using
>>>e.g. the LWP family of modules.
>>
>> Okay.
>> Am I right if I suppose that such a script contacts the form on my
>> website, fills in some values into my fields and then submits the form?
>
> No. Such a script doesn't care about your form. It passes the values
> directly to your script.

In this case it must be different.
I renamed the form but not the script.
Then I duplicated the form, changed the action in the

tag and
saved it under the original name.
The new action script only counts the hits by saving the IP addresses used by
the spammer but doesn't send any mails. It doesn#T even look at the
fields.

--
perl -e '$S=[[73,116,114,115,31,96],[108,109,114,102,99,112],
[29,77,98,111,105,29],[100,93,95,103,97,110]];
for(0..3){for$s(0..5){print(chr($S->[$_]->[$s]+$_+1))}}'

Re: Question about abuse of a CGI script

am 06.02.2006 03:16:14 von Martin Kissner

A. Sinan Unur wrote :
> Martin Kissner wrote in
> news:slrndud5h4.s8a.news@maki.homeunix.net:
>
>> A. Sinan Unur wrote :
>>> Martin Kissner wrote in
>>> news:slrnducuop.s8a.news@maki.homeunix.net:
>>>
> ...
>>>> foreach my $data (@pairs) {
>>>> $data =~ s/\+/ /go;
>>>
>>> Why the 'o' switch?
>>
>> I have taken this from a book. The book says it saves cpu time because
>> the pattern is only compiled once. It suggests to always use it in
>> loops unless the pattern changes.
>
> Read the docs, and throw that book out.

Guess what! I already did.

>
> Also, involving the Regex engine is completely unnecessary here.
>
> #!/usr/bin/perl
>
> use strict;
> use warnings;
>
> my $s = q{This+is+a+test};
> $s =~ tr/+/ /;

Thank you for this hint.


--
perl -e '$S=[[73,116,114,115,31,96],[108,109,114,102,99,112],
[29,77,98,111,105,29],[100,93,95,103,97,110]];
for(0..3){for$s(0..5){print(chr($S->[$_]->[$s]+$_+1))}}'

Re: Question about abuse of a CGI script

am 06.02.2006 03:51:38 von Gunnar Hjalmarsson

Martin Kissner wrote:
> Gunnar Hjalmarsson wrote :
>>Martin Kissner wrote:
>>>Am I right if I suppose that such a script contacts the form on my
>>>website, fills in some values into my fields and then submits the form?
>>
>>No. Such a script doesn't care about your form. It passes the values
>>directly to your script.
>
> In this case it must be different.
> I renamed the form but not the script.
> Then I duplicated the form, changed the action in the tag and
> saved it under the original name.
> The new action script only counts the hits by saving the IP addresses used by
> the spammer but doesn't send any mails. It doesn#T even look at the
> fields.

The spammer needs to know what to submit and whereto, and that info he
reasonably grabs from your form. Then, when actually abusing your
script, he most likely bypasses your form.

--
Gunnar Hjalmarsson
Email: http://www.gunnar.cc/cgi-bin/contact.pl

Re: Question about abuse of a CGI script

am 06.02.2006 04:33:01 von Martin Kissner

Gunnar Hjalmarsson wrote :
> Martin Kissner wrote:
>> Gunnar Hjalmarsson wrote :
>>>Martin Kissner wrote:
>>>>Am I right if I suppose that such a script contacts the form on my
>>>>website, fills in some values into my fields and then submits the form?
>>>
>>>No. Such a script doesn't care about your form. It passes the values
>>>directly to your script.
>>
>> In this case it must be different.
>> I renamed the form but not the script.
>> Then I duplicated the form, changed the action in the tag and
>> saved it under the original name.
>> The new action script only counts the hits by saving the IP addresses used by
>> the spammer but doesn't send any mails. It doesn#T even look at the
>> fields.
>
> The spammer needs to know what to submit and whereto, and that info he
> reasonably grabs from your form. Then, when actually abusing your
> script, he most likely bypasses your form.
>
Okay; wherto would be the script, right?

but how can he find out about the script's name? The script lies in
/cgi-bin/ and the scripts name does not appear in the form or any other
file which is accessible directly via HTTP. The action in the html form
is a html filename which is redirected via .htaccess/mod_rewrite to the
cgi script. This filename I have changed.

Is there a chance somone could find out where to submit the data?
I don't think the spammer can use my script right now.
I have added some additional code to inform me but up to know I have not
noticed him back on the main script (based on some pattern matching and
content length restrictions). Additionally I removed the variables in the header
part of the script.

Also I have added another script which gets executed when the server is
accessed via the original html filename. This script gets executed
several times an hour, but it does not process the input.

Did I miss anything? Can someone unnoticedly get arround this setup?

--
perl -e '$S=[[73,116,114,115,31,96],[108,109,114,102,99,112],
[29,77,98,111,105,29],[100,93,95,103,97,110]];
for(0..3){for$s(0..5){print(chr($S->[$_]->[$s]+$_+1))}}'

Re: Question about abuse of a CGI script

am 06.02.2006 09:24:13 von 1usa

Martin Kissner wrote in
news:slrndudgrd.s8a.news@maki.homeunix.net:

> Gunnar Hjalmarsson wrote :
>> Martin Kissner wrote:
>>> Gunnar Hjalmarsson wrote :
>>>>Martin Kissner wrote:
>>>>>Am I right if I suppose that such a script contacts the form on my
>>>>>website, fills in some values into my fields and then submits the
>>>>>form?
>>>>
>>>>No. Such a script doesn't care about your form. It passes the values
>>>>directly to your script.
>>>
>>> In this case it must be different.
>>> I renamed the form but not the script.
>>> Then I duplicated the form, changed the action in the tag and
>>> saved it under the original name.
>>> The new action script only counts the hits by saving the IP
>>> addresses used by the spammer but doesn't send any mails. It doesn#T
>>> even look at the fields.
>>
>> The spammer needs to know what to submit and whereto, and that info
>> he reasonably grabs from your form. Then, when actually abusing your
>> script, he most likely bypasses your form.
>>
> Okay; wherto would be the script, right?

"Where to" is whatever is in the action attribute of the form you are
using.

> but how can he find out about the script's name? The script lies in
> /cgi-bin/ and the scripts name does not appear in the form or any
> other file which is accessible directly via HTTP. The action in the
> html form is a html filename which is redirected via
> .htaccess/mod_rewrite to the cgi script. This filename I have
> changed.
>
> Is there a chance somone could find out where to submit the data?

I don't know what you are talking about, but that's irrelevant. Web
server configuration is off-topic here (well, so was CGI. Forgive me for
I have sinned).

Sinan

--
A. Sinan Unur <1usa@llenroc.ude.invalid>
(reverse each component and remove .invalid for email address)

comp.lang.perl.misc guidelines on the WWW:
http://mail.augustmail.com/~tadmc/clpmisc/clpmisc_guidelines .html

Re: Question about abuse of a CGI script

am 06.02.2006 13:20:53 von Matt Garrish

"Martin Kissner" wrote in message
news:slrndudgrd.s8a.news@maki.homeunix.net...
> Gunnar Hjalmarsson wrote :
>> Martin Kissner wrote:
>>> Gunnar Hjalmarsson wrote :
>>>>Martin Kissner wrote:
>>>>>Am I right if I suppose that such a script contacts the form on my
>>>>>website, fills in some values into my fields and then submits the form?
>>>>
>>>>No. Such a script doesn't care about your form. It passes the values
>>>>directly to your script.
>>>
>>> In this case it must be different.
>>> I renamed the form but not the script.
>>> Then I duplicated the form, changed the action in the tag and
>>> saved it under the original name.
>>> The new action script only counts the hits by saving the IP addresses
>>> used by
>>> the spammer but doesn't send any mails. It doesn#T even look at the
>>> fields.
>>
>> The spammer needs to know what to submit and whereto, and that info he
>> reasonably grabs from your form. Then, when actually abusing your
>> script, he most likely bypasses your form.
>>
> Okay; wherto would be the script, right?
>
> but how can he find out about the script's name? The script lies in
> /cgi-bin/ and the scripts name does not appear in the form or any other
> file which is accessible directly via HTTP. The action in the html form
> is a html filename which is redirected via .htaccess/mod_rewrite to the
> cgi script. This filename I have changed.
>

But a request is a request, whether it comes from a browser or is created
manually by a program. The spammer's request gets forwarded the same way the
browsers request gets forwarded. You should really take some time to look
over the LWP modules and what they can do (specifically posting data), as
well as read up on how http requests work. Without more fundamentals in how
the Web operates, you'll have a very hard time writing secure scripts.

Matt

Re: Question about abuse of a CGI script

am 06.02.2006 14:13:35 von Martin Kissner

A. Sinan Unur wrote :
> Martin Kissner wrote in
> news:slrndudgrd.s8a.news@maki.homeunix.net:
>
>> Gunnar Hjalmarsson wrote :
>>> Martin Kissner wrote:
>>>> Gunnar Hjalmarsson wrote :

>>> The spammer needs to know what to submit and whereto, and that info
>>> he reasonably grabs from your form. Then, when actually abusing your
>>> script, he most likely bypasses your form.
>>>
>> Okay; wherto would be the script, right?
>
> "Where to" is whatever is in the action attribute of the form you are
> using.

Then it is a nonexisting html filename he tries to access now which is
not processed by the script in the way he relies on.

>> but how can he find out about the script's name? The script lies in
>> /cgi-bin/ and the scripts name does not appear in the form or any
>> other file which is accessible directly via HTTP. The action in the
>> html form is a html filename which is redirected via
>> .htaccess/mod_rewrite to the cgi script. This filename I have
>> changed.
>>
>> Is there a chance somone could find out where to submit the data?
>
> I don't know what you are talking about, but that's irrelevant. Web
> server configuration is off-topic here (well, so was CGI. Forgive me for
> I have sinned).

Forgive me, too. I have asked about how my perl CGI skript, which is
running on a web server, could have been hacked by a spammer in a perl
newsgroup.

But wait - I have decided to ask here because I was
interested in what _perl_code_ the spammer might have passed to my
_perl_script_. My original question was not about CGI and and not about
web server configuration but about perl code.

But you are right. The last question is off-topic here. I should have
asked it in a web server related group.

Best regards
Martin

btw: I have tested the script you gave me in the other post on a FreeBSD
machine. There I get the same result as you do (Bcc addresses in a
newline).

--
perl -e '$S=[[73,116,114,115,31,96],[108,109,114,102,99,112],
[29,77,98,111,105,29],[100,93,95,103,97,110]];
for(0..3){for$s(0..5){print(chr($S->[$_]->[$s]+$_+1))}}'

Re: Question about abuse of a CGI script

am 06.02.2006 14:55:01 von Martin Kissner

Matt Garrish wrote :
>
> "Martin Kissner" wrote in message
> news:slrndudgrd.s8a.news@maki.homeunix.net...
>> Gunnar Hjalmarsson wrote :
>>> Martin Kissner wrote:
>>>> Gunnar Hjalmarsson wrote :

>>> The spammer needs to know what to submit and whereto, and that info he
>>> reasonably grabs from your form. Then, when actually abusing your
>>> script, he most likely bypasses your form.
>>>
>> Okay; wherto would be the script, right?
>>
>> but how can he find out about the script's name? The script lies in
>> /cgi-bin/ and the scripts name does not appear in the form or any other
>> file which is accessible directly via HTTP. The action in the html form
>> is a html filename which is redirected via .htaccess/mod_rewrite to the
>> cgi script. This filename I have changed.
>>
>
> But a request is a request, whether it comes from a browser or is created
> manually by a program. The spammer's request gets forwarded the same way the
> browsers request gets forwarded.

Yes, I know.
But doesn't the program of the spammer have to passuse an URI as the browser
does?
And now he keeps on passing an URI which doesn't make my script send mail.

The spammer requests a file on the webserver and sends some data to its
stdin. The filename (which is part of the URI) and the data are passed
to my cgi script but when the script "sees" the URI, it refuses to read
the data but only hits a counter and exits. In my case I don't think
the spammer accesses the script itself and if he does, he has to pass
the URI which triggers the script to send mail.

Isn't this right?

If it is, I think changing the filename which makes the script send mail
was not that bad and also I have changed the script to take a closer
look at the data provided by the user (for the new filename in the form
action attribute).

> You should really take some time to look over the LWP modules and what
> they can do (specifically posting data), as well as read up on how
> http requests work. Without more fundamentals in how the Web operates,
> you'll have a very hard time writing secure scripts.

Yes, thank you. I have bought the book "Network Programming with perl"
by Lincoln Stein, which I think is a good choice.

Best regards
Martin

--
perl -e '$S=[[73,116,114,115,31,96],[108,109,114,102,99,112],
[29,77,98,111,105,29],[100,93,95,103,97,110]];
for(0..3){for$s(0..5){print(chr($S->[$_]->[$s]+$_+1))}}'

Re: Question about abuse of a CGI script

am 06.02.2006 16:18:17 von 1usa

Martin Kissner wrote in
news:slrndueirv.14d.news@maki.homeunix.net:

> A. Sinan Unur wrote :
>> Martin Kissner wrote in
>> news:slrndudgrd.s8a.news@maki.homeunix.net:
>>
>>> Gunnar Hjalmarsson wrote :
>>>> Martin Kissner wrote:
>>>>> Gunnar Hjalmarsson wrote :
>
>>>> The spammer needs to know what to submit and whereto, and that info
>>>> he reasonably grabs from your form. Then, when actually abusing
>>>> your script, he most likely bypasses your form.
>>>>
>>> Okay; wherto would be the script, right?
>>
>> "Where to" is whatever is in the action attribute of the form you are
>> using.
>
> Then it is a nonexisting html filename he tries to access now which is
> not processed by the script in the way he relies on.

That sentence makes no sense. If a visitor can submit the form using a
web browser, then a simple script using LWP, or the command line wget
program can also submit to the same target specified in the action
attribute of the form element you are using.

Your confusion arises from the fact that you don't seem to understand how
HTTP and CGI work, and you confuse the issue by adding in all sorts of
web server configuration issues.

In summary:

Q1) How do I save the full query submitted to my CGI script.

A) Look into methods provided for this purpose by CGI.pm and CGI::Minimal

Q2) How do I prevent a spammer from using my script to send email to
thousands of people?

A) The safest way is to prevent a web site visitor from being able to
enter any email address. Short of that, look at CGI::ContactForm to see
how to make sure the submitted parameter only contains a single email
address.

There seems to be nothing else that is remotely Perl related to discuss.

Sinan

Re: Question about abuse of a CGI script

am 06.02.2006 17:30:38 von Ben Bacarisse

On Sun, 05 Feb 2006 14:42:08 -0500, John W. Kennedy wrote:

> Martin Kissner wrote:
>> Now the script was abused by a spammer who sent at least 6000 (probably
>> far more) spam emails.
>
> A device that has worked for me to foil robot spammers is simply to leave
> the submit button out of the HTML and create it instead at onload time,
> using JavaScript. It won't stop a human, but generally stymies robots.

This has a couple of down sides: First, it only works while few people use
it. When is becomes the norm, robots will have to incorporate a JS engine
and the benefit will be lost. Second, you inconvenience users who can't
(or prefer not) to use JS. This inconvenience could be argued about were
it not for the fact the form scripts can be made robot safe by
other means -- careful coding.

--
Ben.

Re: Question about abuse of a CGI script

am 06.02.2006 17:54:14 von Martin Kissner

A. Sinan Unur wrote :
> Martin Kissner wrote in
> news:slrndueirv.14d.news@maki.homeunix.net:
>
>> A. Sinan Unur wrote :
>>> Martin Kissner wrote in
>>> news:slrndudgrd.s8a.news@maki.homeunix.net:
>>>
>>>> Gunnar Hjalmarsson wrote :
>>>>> Martin Kissner wrote:
>>>>>> Gunnar Hjalmarsson wrote :
>>
>>>>> The spammer needs to know what to submit and whereto, and that info
>>>>> he reasonably grabs from your form. Then, when actually abusing
>>>>> your script, he most likely bypasses your form.
>>>>>
>>>> Okay; wherto would be the script, right?
>>>
>>> "Where to" is whatever is in the action attribute of the form you are
>>> using.
>>
>> Then it is a nonexisting html filename he tries to access now which is
>> not processed by the script in the way he relies on.
>
> That sentence makes no sense. If a visitor can submit the form using a
> web browser, then a simple script using LWP, or the command line wget
> program can also submit to the same target specified in the action
> attribute of the form element you are using.
>
> Your confusion arises from the fact that you don't seem to understand how
> HTTP and CGI work, and you confuse the issue by adding in all sorts of
> web server configuration issues.

No, I don't think so. Maybe I can not make myself understood because of
my bad English. Maybe I should provide specific filenames to make this
clear.

Before the spammer's attack the target specified in the action attribute
of the form element has been "/emailantwort.html". This target was
redirected to "/cgi-bin/script.cgi".
"script.cgi" checks the URI to decide what to do.
Before the spammers attack:
if ($ENV{REQUEST_URI} eq "/emailantwort.html") { send_mail(); }
Now:
if ($ENV{REQUEST_URI} eq "/someotherfile.html") {
send_mail_better(); }
if ($ENV{REQUEST_URI} eq "/emailantwort.html") { count_spmammer(); }
>
> In summary:
>
> Q1) How do I save the full query submitted to my CGI script.
>
> A) Look into methods provided for this purpose by CGI.pm and CGI::Minimal

Thank you, I will do so tonight.

> Q2) How do I prevent a spammer from using my script to send email to
> thousands of people?
>
> A) The safest way is to prevent a web site visitor from being able to
> enter any email address. Short of that, look at CGI::ContactForm to see
> how to make sure the submitted parameter only contains a single email
> address.

Thank you again. I will do my best.

> There seems to be nothing else that is remotely Perl related to discuss.

Okay? Didn't mean to annoy anybody.

Best regards
Martin

--
perl -e '$S=[[73,116,114,115,31,96],[108,109,114,102,99,112],
[29,77,98,111,105,29],[100,93,95,103,97,110]];
for(0..3){for$s(0..5){print(chr($S->[$_]->[$s]+$_+1))}}'

Re: Question about abuse of a CGI script

am 09.02.2006 10:38:23 von Ian Wilson

Martin Kissner wrote:
> Maybe you missed the fact that I have changed my script so the actual
> spammer is not able to use it any more.

Have you? I thought you had just changed it to check the referrer_URI.
These URI's are harvested by bots which inspect feedback forms. Soon a
bot will pick up your modified form and start using the new action URI
it finds there, which is the one your modified script allows through.

Much better to sanitise the form data. I'd discard any transaction that
contains suspicious data, e.g. newlines in a subject field. If I
couldn't use (or adapt) an already existing well tested script such as
the nms scripts, I'd specify a minimum set of allowable characters for
each field. Have you looked at the scripts at
http://nms-cgi.sourceforge.net/ - even if you can't use them, they'll
give some ideas on sanitising form data.

Re: Question about abuse of a CGI script

am 20.02.2006 16:42:19 von Martin Kissner

Ian Wilson wrote :
> Martin Kissner wrote:
>> Maybe you missed the fact that I have changed my script so the actual
>> spammer is not able to use it any more.
>
> Have you? I thought you had just changed it to check the referrer_URI.

Yes, I have. I never mentioned that I changed the script to check the
referer URI, have I? As a first step I checked the "user" input for some
strings that were common to all spam mails.

In the meantime I have added some more input checking to make sure that
there can be only one email address in the appropriate field and nothing
else. All other fields are now checked against a list of allowed
charakters (letters, numbers, braces, comas, fullstops and newlines only
in the textarea field)

> These URI's are harvested by bots which inspect feedback forms. Soon a
> bot will pick up your modified form and start using the new action URI
> it finds there, which is the one your modified script allows through.
>
> Much better to sanitise the form data. I'd discard any transaction that
> contains suspicious data, e.g. newlines in a subject field. If I
> couldn't use (or adapt) an already existing well tested script such as
> the nms scripts, I'd specify a minimum set of allowable characters for
> each field. Have you looked at the scripts at

Thanks for your hint, I have already done so.

> http://nms-cgi.sourceforge.net/ - even if you can't use them, they'll
> give some ideas on sanitising form data.

Not yet, but I will take a look at it. Thanks for the link.

Best regards
Martin

--
perl -e '$S=[[73,116,114,115,31,96],[108,109,114,102,99,112],
[29,77,98,111,105,29],[100,93,95,103,97,110]];
for(0..3){for$s(0..5){print(chr($S->[$_]->[$s]+$_+1))}}'