Stories
Slash Boxes
Comments
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
 Full
 Abbreviated
 Hidden
More | Login | Reply
Loading... please wait.
  • Drive-by email (Score:3, Informative)

    by dws (341) on 2003.12.09 18:33 (#26406) Homepage Journal
    You'll want to screen $email_addy to prevent someone from passing in, say "foo@bar\nCc: somebodyelse@example.com".
    • When I passed it that from a simple form, it emailed me the following:
      Test Name (steveNOSPAM@exitwound.org\nCc:stephenNOSPAM@hsc.edu) has sent you the following:
      It only sent one email, and that was to the address hardcoded in the To: field in the script. I never received an email at the Cc: address.

      The email header shows:

      From: "steveNOSPAM@exitwound.orgnCc:stephenNOSPAM" <@ttuhsc.edu>

      which is weird, but still unsuccessful.

      --

      If things get any worse, I'll have to ask you to stop helping me.

      • Looks like you're losing the newline. Are you sure you're passing \n (%0A%0D)?
        • Here is a cut-and-paste of what I sent:

          steveNOSPAM@exitwound.org%0A%0DCc:shockNOSPAM@exitwound.org

          and

          steveNOSPAM@exitwound.org\nCc:shockNOSPAM@exitwound.org

          Both resulted in one email being sent to the hardcoded To: address, with nothing being received as a copy. And both resulted in goofed headers as previously described.

          What am I missing here? I agree with you that not checking $email_addy should be abusable, but I don't seem to be able to replicate it.

          --

          If things get any worse, I'll have to ask you to stop helping me.

          • My bad. Injecting %0A is sufficient.
            • Pasting

              steveNOSPAM@exitwound.org%0ACc:shockNOSPAM@exitwound.org

              results in the same thing ... Jeez. What am I missing here? This script may be insecure, but I'll be damned if I can prove it.

              --

              If things get any worse, I'll have to ask you to stop helping me.

              • Here's a simple test case. $to simulates a query parameter that someone has injected a %0A into. With suitable substitutions for email addresses, I get an email to each address.

                use CGI;

                my $to = CGI::unescape("a\@example.com%0ACc: b\@example.com");

                open(SENDMAIL, "| sendmail -oi -t") or die "sendmail: $!\n";
                print SENDMAIL <<EOF;
                From: test <you\@example.com>
                To: $to
                Subject: Automagic message

                Gotcha
                EOF
                close(SENDMAIL);