Stories
Slash Boxes
Comments
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
 Full
 Abbreviated
 Hidden
More | Login | Reply
Loading... please wait.
  • Drive-by email (Score:3, Informative)

    by dws (341) on 2003.12.09 18:33 (#26406) Homepage Journal
    You'll want to screen $email_addy to prevent someone from passing in, say "foo@bar\nCc: somebodyelse@example.com".
    • When I passed it that from a simple form, it emailed me the following:
      Test Name (steveNOSPAM@exitwound.org\nCc:stephenNOSPAM@hsc.edu) has sent you the following:
      It only sent one email, and that was to the address hardcoded in the To: field in the script. I never received an email at the Cc: address.

      The email header shows:

      From: "steveNOSPAM@exitwound.orgnCc:stephenNOSPAM" <@ttuhsc.edu>

      which is weird, but still unsuccessful.

      --

      If things get any worse, I'll have to ask you to stop helping me.

      • Looks like you're losing the newline. Are you sure you're passing \n (%0A%0D)?
        • Here is a cut-and-paste of what I sent:

          steveNOSPAM@exitwound.org%0A%0DCc:shockNOSPAM@exitwound.org

          and

          steveNOSPAM@exitwound.org\nCc:shockNOSPAM@exitwound.org

          Both resulted in one email being sent to the hardcoded To: address, with nothing being received as a copy. And both resulted in goofed headers as previously described.

          What am I missing here? I agree with you that not checking $email_addy should be abusable, but I don't seem to be able to replicate it.

          --

          If things get any worse, I'll have to ask you to stop helping me.

          • My bad. Injecting %0A is sufficient.
            • Pasting

              steveNOSPAM@exitwound.org%0ACc:shockNOSPAM@exitwound.org

              results in the same thing ... Jeez. What am I missing here? This script may be insecure, but I'll be damned if I can prove it.

              --

              If things get any worse, I'll have to ask you to stop helping me.

              • Here's a simple test case. $to simulates a query parameter that someone has injected a %0A into. With suitable substitutions for email addresses, I get an email to each address.

                use CGI;

                my $to = CGI::unescape("a\@example.com%0ACc: b\@example.com");

                open(SENDMAIL, "| sendmail -oi -t") or die "sendmail: $!\n";
                print SENDMAIL <<EOF;
                From: test <you\@example.com>
                To: $to
                Subject: Automagic message

                Gotcha
                EOF
                close(SENDMAIL);

  • ...preferring to use the Mail::Mailer interface. You might look at that as an alternative.
    • I'm with you. That would have cleaned the script up quite a bit.

      Unfortunately, in this situation, the developer has no control over the installed modules. He has to live with what he has, and in this case has to follow the FAQ on sending mail.

      dws [perl.org] pretty much hit it on the head with the inadequate (i.e., no) untainting/validation of the input.

      But yeah, if the situation was different, I'd definitely go with modules.

      --

      If things get any worse, I'll have to ask you to stop helping me.