Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > Perl > Perl Misc > Question about abuse of a CGI script

Reply
Thread Tools

Question about abuse of a CGI script

 
 
Martin Kissner
Guest
Posts: n/a
 
      02-05-2006
hello together,

I had a CGI Skript on my mothers website to send email from a html form
(method post) for about two yaers.

The script was quite simple and had no checking of the User input
implemented.
When I wrote the script two years ago, I didn't even know that this is
neccesary.
I used Mail::Mailer to send the input from the form in a nicely formated
html email to my mother's email address.

Now the script was abused by a spammer who sent at least 6000 (probably
far more) spam emails.

I found *perldoc -q "How do I make sure"* which will enable me to secure
my script, but I also have another question:

How can I recieve the exact input of the spammer to my form as email
without giving him the chance to abuse my script. I want to understand,
what he did and how it worked.

Any information will be appreciated.
Thanks in advance

Best regards
Martin


--
perl -e '$S=[[73,116,114,115,31,96],[108,109,114,102,99,112],
[29,77,98,111,105,29],[100,93,95,103,97,110]];
for(0..3){for$s(0..5){print(chr($S->[$_]->[$s]+$_+1))}}'
 
Reply With Quote
 
 
 
 
Matt Garrish
Guest
Posts: n/a
 
      02-05-2006

"Martin Kissner" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> hello together,
>
> I had a CGI Skript on my mothers website to send email from a html form
> (method post) for about two yaers.
>
> The script was quite simple and had no checking of the User input
> implemented.
> When I wrote the script two years ago, I didn't even know that this is
> neccesary.


That's a scary statement to confess to... : )

>
> How can I recieve the exact input of the spammer to my form as email
> without giving him the chance to abuse my script. I want to understand,
> what he did and how it worked.
>


It would seem that if you have really secured your script, the person's
method would no longer work. Usually there is nothing special about what the
spammers do. They rely on you using cheap scripts like the one's you get
from Matt's archive, which they can then easily exploit because the source
code is free to look over and the bugs with it well known. Or they look for
obvious exploits like the ability to cc the email to someone and then flood
that field with email addresses.

I don't know how to answer your question except to say you should log every
request to that form with all the parameters submitted until the spammer
hits you again. I don't see how you can distinguish the spammer and allow
that person to run your script but not really execute it, which it sounds
like you want. You might also want to look into measures like captchas,
which will foil all but the most determined hackers.

Matt


 
Reply With Quote
 
 
 
 
DJ Stunks
Guest
Posts: n/a
 
      02-05-2006
Martin Kissner wrote:
> How can I recieve the exact input of the spammer to my form as email
> without giving him the chance to abuse my script. I want to understand,
> what he did and how it worked.


If you are using CGI.pm (as I hope you are) you could check out either
of the following sections of the module's docs:
- "SAVING THE STATE OF THE SCRIPT TO A FILE"
- "DUMPING OUT ALL THE NAME/VALUE PAIRS"

Combine this with MIME::Lite to send yourself a copy.

I don't know, however, how you will filter "spam" emails from "actual"
emails - this part is up to you... (Regexp::Common::spam = qr{viagra}?
)

-jp

 
Reply With Quote
 
Martin Kissner
Guest
Posts: n/a
 
      02-05-2006
DJ Stunks wrote :
> Martin Kissner wrote:
>> How can I recieve the exact input of the spammer to my form as email
>> without giving him the chance to abuse my script. I want to understand,
>> what he did and how it worked.

>
> If you are using CGI.pm (as I hope you are) you could check out either
> of the following sections of the module's docs:
> - "SAVING THE STATE OF THE SCRIPT TO A FILE"
> - "DUMPING OUT ALL THE NAME/VALUE PAIRS"


I didn't use CGI.pm and I have read that CGI.pm in many cases produces
much overhead.

> Combine this with MIME::Lite to send yourself a copy.
>
> I don't know, however, how you will filter "spam" emails from "actual"
> emails - this part is up to you... (Regexp::Common::spam = qr{viagra}?


The problem is not so much how to filter spam from real mail since I
have renamed the original form an put in some quick'n'dirty filters.
Now I want to set up a form with the original filename and process it in
a way which helps me to understand how the attack of the spammer works.

I will check the docs you posted to see if I will find anything I could
use.
Thanks and Best regards
Martin

--
perl -e '$S=[[73,116,114,115,31,96],[108,109,114,102,99,112],
[29,77,98,111,105,29],[100,93,95,103,97,110]];
for(0..3){for$s(0..5){print(chr($S->[$_]->[$s]+$_+1))}}'
 
Reply With Quote
 
Martin Kissner
Guest
Posts: n/a
 
      02-05-2006
Matt Garrish wrote :
>
> "Martin Kissner" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> hello together,
>>
>> I had a CGI Skript on my mothers website to send email from a html form
>> (method post) for about two yaers.
>>
>> The script was quite simple and had no checking of the User input
>> implemented.
>> When I wrote the script two years ago, I didn't even know that this is
>> neccesary.

>
> That's a scary statement to confess to... : )


Well, I am an autodidact and sometimes things must be learned the hard
way
>>
>> How can I recieve the exact input of the spammer to my form as email
>> without giving him the chance to abuse my script. I want to understand,
>> what he did and how it worked.
>>

>
> It would seem that if you have really secured your script, the person's
> method would no longer work.


Up to now I did not really secure the script but I have put in some
filters to prevent the person's method from working. I think this is is
a large scale spammer since he sends mail to far more than 100.000
recipients.

> Usually there is nothing special about what the
> spammers do. They rely on you using cheap scripts like the one's you get
> from Matt's archive, ...


or mine *g*

> ... which they can then easily exploit because the source
> code is free to look over and the bugs with it well known. Or they look for
> obvious exploits like the ability to cc the email to someone and then flood
> that field with email addresses.


Yes, I think so.
Two days before the attack I reallized 5 emails with strange looking
values in the form fields. I afterwards could extract a single Bcc
address which I suppose is controlled by the spammer and is used to
report exploitable mail forms.

> I don't know how to answer your question except to say you should log every
> request to that form with all the parameters submitted until the spammer
> hits you again. I don't see how you can distinguish the spammer and allow
> that person to run your script but not really execute it, which it sounds
> like you want. You might also want to look into measures like captchas,
> which will foil all but the most determined hackers.


Distiguishing the spammer at this point is no problem.
As soon as I rename my email form back and open the filters I
implemented, he hits me over and over again from different IP addresses.
I could collect 10thousands of email addresses from his list because they
are listed in the first input field of my form.

I have already removed any variables from the part of my script which
sets the mailheaders but still he gets through.

What I want is to execute a script which enables me to analyse the
method the spammer uses in order to learn how this works - not because I
want to redo it, but I am interested.
If possible I would like to read the exact code (and other input) he
writes to the input fields of my form.

Best regards
Martin

--
perl -e '$S=[[73,116,114,115,31,96],[108,109,114,102,99,112],
[29,77,98,111,105,29],[100,93,95,103,97,110]];
for(0..3){for$s(0..5){print(chr($S->[$_]->[$s]+$_+1))}}'
 
Reply With Quote
 
John W. Kennedy
Guest
Posts: n/a
 
      02-05-2006
Martin Kissner wrote:
> hello together,
>
> I had a CGI Skript on my mothers website to send email from a html form
> (method post) for about two yaers.
>
> The script was quite simple and had no checking of the User input
> implemented.
> When I wrote the script two years ago, I didn't even know that this is
> neccesary.
> I used Mail::Mailer to send the input from the form in a nicely formated
> html email to my mother's email address.
>
> Now the script was abused by a spammer who sent at least 6000 (probably
> far more) spam emails.


A device that has worked for me to foil robot spammers is simply to
leave the submit button out of the HTML and create it instead at onload
time, using JavaScript. It won't stop a human, but generally stymies robots.

--
John W. Kennedy
"But now is a new thing which is very old--
that the rich make themselves richer and not poorer,
which is the true Gospel, for the poor's sake."
-- Charles Williams. "Judgement at Chelmsford"
 
Reply With Quote
 
Gunnar Hjalmarsson
Guest
Posts: n/a
 
      02-05-2006
Martin Kissner wrote:
> What I want is to execute a script which enables me to analyse the
> method the spammer uses in order to learn how this works - not because I
> want to redo it, but I am interested.


If you post the (relevant part of the) script here, somebody will
probably be able to tell you what the problem is.

--
Gunnar Hjalmarsson
Email: http://www.gunnar.cc/cgi-bin/contact.pl
 
Reply With Quote
 
A. Sinan Unur
Guest
Posts: n/a
 
      02-05-2006
Martin Kissner <(E-Mail Removed)> wrote in
news:(E-Mail Removed):

> DJ Stunks wrote :
>> Martin Kissner wrote:
>>> How can I recieve the exact input of the spammer to my form as
>>> email without giving him the chance to abuse my script. I want to
>>> understand, what he did and how it worked.

>>
>> If you are using CGI.pm (as I hope you are) you could check out
>> either of the following sections of the module's docs:
>> - "SAVING THE STATE OF THE SCRIPT TO A FILE"
>> - "DUMPING OUT ALL THE NAME/VALUE PAIRS"

>
> I didn't use CGI.pm and I have read that CGI.pm in many cases produces
> much overhead.


While CGI.pm is not going to automatically solve your problems,
the reason you give above for not using CGI.pm is plain stupid.
Who cares about CGI.pm overhead for an email script?

The question you have to ask yourself is why you want any odd visitor to
your web site to be able to send email to anyone at all even if it is
not large scale spamming.

Take a look at Gunnar Hjalmarsson's CGI::ContactForm:

http://search.cpan.org/~gunnar/CGI-C...ContactForm.pm

Sinan
--
A. Sinan Unur <(E-Mail Removed)>
(reverse each component and remove .invalid for email address)

comp.lang.perl.misc guidelines on the WWW:
http://mail.augustmail.com/~tadmc/cl...uidelines.html
 
Reply With Quote
 
xhoster@gmail.com
Guest
Posts: n/a
 
      02-05-2006
Martin Kissner <(E-Mail Removed)> wrote:
> DJ Stunks wrote :
> > Martin Kissner wrote:
> >> How can I recieve the exact input of the spammer to my form as email
> >> without giving him the chance to abuse my script. I want to
> >> understand, what he did and how it worked.

> >
> > If you are using CGI.pm (as I hope you are) you could check out either
> > of the following sections of the module's docs:
> > - "SAVING THE STATE OF THE SCRIPT TO A FILE"
> > - "DUMPING OUT ALL THE NAME/VALUE PAIRS"

>
> I didn't use CGI.pm and I have read that CGI.pm in many cases produces
> much overhead.


How polite of you to avoid the use of CGI in order to avoid overhead. Now
the spammers can spam 3.7% faster!

Seriously, how many legitimate hits on your script do you expect to have
each minute? How much overhead will that contribute? Hmmm...

Xho

--
-------------------- http://NewsReader.Com/ --------------------
Usenet Newsgroup Service $9.95/Month 30GB
 
Reply With Quote
 
A. Sinan Unur
Guest
Posts: n/a
 
      02-05-2006
"A. Sinan Unur" <(E-Mail Removed)> wrote in
news:Xns97619683613C3asu1cornelledu@127.0.0.1:

> Take a look at Gunnar Hjalmarsson's CGI::ContactForm:
>
> http://search.cpan.org/~gunnar/CGI-C...ContactForm.pm


Actually, I'll take that back ... It looks like CGI::ContactForm
automatically Bcc's the message to the email address entered by
the website visitor. It seems to me, that is a whole through which
spam can be sent to anyone.

Sinan

--
A. Sinan Unur <(E-Mail Removed)>
(reverse each component and remove .invalid for email address)

comp.lang.perl.misc guidelines on the WWW:
http://mail.augustmail.com/~tadmc/cl...uidelines.html

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
what's wrong calling a Perl/CGI script in Perl/CGI script under Tomcat server? kath Perl Misc 4 04-09-2007 09:21 PM
Abuse of the Net/Abuse on the Net Dr Wankfest Computer Support 14 07-19-2006 10:31 PM
Python-cgi or Perl-cgi script doubt praba kar Python 1 07-30-2005 08:25 AM
Fighting abuse with abuse Mara Computer Support 70 03-24-2005 08:30 PM
Re: Fighting abuse with abuse Peter =?UTF-8?B?S8O2aGxtYW5u?= Computer Information 0 03-22-2005 10:31 AM



Advertisments