Stories
Slash Boxes
Comments
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

use Perl Log In

Log In

[ Create a new account ]

shockme (2685)

shockme
  reversethis-{gro.dnuowtixe} {ta} {kcohs}
http://exitwound.org/
AOL IM: stephenhargrove (Add Buddy, Send Message)

If you really must have more information about me, see my home node [perlmonks.org] at PerlMonks [perlmonks.org] or my journal [exitwound.org] at exitwound.org.

Journal of shockme (2685)

Tuesday December 09, 2003
06:01 PM

A Question Regarding a CGI script

[ #16250 ]

Consider the following script:

#!/usr/local/bin/perl
use strict;
use CGI qw(param);

$user_name = param(UserName);
$email_addy = param(EmailAddy);
$comments = param(Comments);

open(SENDMAIL, "| sendmail -oi -t") or die "Can't fork for sendmail: $!\n";
print SENDMAIL <<EOF;
From: $email_addy
To: joe\@exitwound.org
Subject: Message from $user_name

$user_name ($email_addy) has sent you the following:

-----------------------------------------

$comments

-----------------------------------------

EOF
save_parameters(*SENDMAIL);
close(SENDMAIL);

Other than flooding Joe's inbox, can you think of any way that this script could be abused? More specifically, is it possible to abuse this script to send email to someone other than Joe?

Posted from exitwound.org, comment here.

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
 Full
 Abbreviated
 Hidden
More | Login | Reply
Loading... please wait.
  • Drive-by email (Score:3, Informative)

    by dws (341) on 2003.12.09 18:33 (#26406) Homepage Journal
    You'll want to screen $email_addy to prevent someone from passing in, say "foo@bar\nCc: somebodyelse@example.com".
    • When I passed it that from a simple form, it emailed me the following:
      Test Name (steveNOSPAM@exitwound.org\nCc:stephenNOSPAM@hsc.edu) has sent you the following:
      It only sent one email, and that was to the address hardcoded in the To: field in the script. I never received an email at the Cc: address.

      The email header shows:

      From: "steveNOSPAM@exitwound.orgnCc:stephenNOSPAM" <@ttuhsc.edu>

      which is weird, but still unsuccessful.

      --

      If things get any worse, I'll have to ask you to stop helping me.

      • Looks like you're losing the newline. Are you sure you're passing \n (%0A%0D)?
        • Here is a cut-and-paste of what I sent:

          steveNOSPAM@exitwound.org%0A%0DCc:shockNOSPAM@exitwound.org

          and

          steveNOSPAM@exitwound.org\nCc:shockNOSPAM@exitwound.org

          Both resulted in one email being sent to the hardcoded To: address, with nothing being received as a copy. And both resulted in goofed headers as previously described.

          What am I missing here? I agree with you that not checking $email_addy should be abusable, but I don't seem to be able to replicate it.

          --

          If things get any worse, I'll have to ask you to stop helping me.

          • My bad. Injecting %0A is sufficient.
            • Pasting

              steveNOSPAM@exitwound.org%0ACc:shockNOSPAM@exitwound.org

              results in the same thing ... Jeez. What am I missing here? This script may be insecure, but I'll be damned if I can prove it.

              --

              If things get any worse, I'll have to ask you to stop helping me.

              • Here's a simple test case. $to simulates a query parameter that someone has injected a %0A into. With suitable substitutions for email addresses, I get an email to each address.

                use CGI;

                my $to = CGI::unescape("a\@example.com%0ACc: b\@example.com");

                open(SENDMAIL, "| sendmail -oi -t") or die "sendmail: $!\n";
                print SENDMAIL <<EOF;
                From: test <you\@example.com>
                To: $to
                Subject: Automagic message

                Gotcha
                EOF
                close(SENDMAIL);

  • ...preferring to use the Mail::Mailer interface. You might look at that as an alternative.
    • I'm with you. That would have cleaned the script up quite a bit.

      Unfortunately, in this situation, the developer has no control over the installed modules. He has to live with what he has, and in this case has to follow the FAQ on sending mail.

      dws [perl.org] pretty much hit it on the head with the inadequate (i.e., no) untainting/validation of the input.

      But yeah, if the situation was different, I'd definitely go with modules.

      --

      If things get any worse, I'll have to ask you to stop helping me.