mysterious line in my script - what does it all mean?

[maxwells]

Dear Friends,

There is a line of code in my perlscript which is mysterious for the
following reason: it doesn't appear to do anything useful, but if I
remove it the script stops working.

This is my script, a simple mailer which is accessed by AJAX. It
receives a POST with the contents of a two-element form:

#!/usr/bin/perl -w
use CGI;
$query = new CGI;
$sender = $query->param('s');
$message = $query->param('m');

$mailprog = '/usr/lib/sendmail';
open(MAIL,"|$mailprog -t");
print MAIL "To: donald\@duck.com\n";
print MAIL "From: $sender\n";
print MAIL "Subject: AJAX Mailer\n\n";
print MAIL "$message";
close (MAIL);

$remotehost = $query->remote_host(); # <----- this is the mysterious
line
print $query->header;
print "<p>Your message was received.</p>";

If I leave the "$remotehost =" line in, the print commands work, and
the "received" message is posted on the web page by
xmlHttpReq.responseText

If I remove the "$remotehost =" line, which was only there because it
was useful in a completely different context, the "received" message
never appears.

I have now tried this on two linux servers, and it behaves the same way
on each.

I'm sure there is a perfectly good reason for this, but I don't know
what it is. Would the experts of comp.lang.perl please lend me the
benefit of their collective wisdom?

Thanks a lot,

John

 

[usenet]

I have now tried this on two linux servers, and it behaves the same way
on each.

I cannot duplicate the problem on my machine. It works as expected
with or without the "mysterious line."

What happens if you run it directly from a commandline, such as:

myprogram.cgi s=foo m=bar

 

[maxwells]

Thanks David,

I think your good vibes solved the problem, it now works as expected.
And knowing perl, it will for another fifty years

Cheers,

John

 

[Josef Moellers]

Thanks David,

I think your good vibes solved the problem, it now works as expected.
And knowing perl, it will for another fifty years

Knowing computers and software, it will bite you when you least expect
it. "Good vibes" do not fix errors.

Josef

 

[Randal L. Schwartz]

maxwells> #!/usr/bin/perl -w
maxwells> use CGI;
maxwells> $query = new CGI;
maxwells> $sender = $query->param('s');
maxwells> $message = $query->param('m');

maxwells> $mailprog = '/usr/lib/sendmail';
maxwells> open(MAIL,"|$mailprog -t");
maxwells> print MAIL "To: donald\@duck.com\n";
maxwells> print MAIL "From: $sender\n";

This code can be used to send arbitrary spam to arbitrary addresses.

Please stop using it immediately, and learn enough about computer
security to fix it. Or hire someone who knows.

But in any event, YOU having THAT script on the net can harm ME
and MY FRIENDS. So please remove it.

 

[maxwells]

Dang.

I thought it would only send arbitrary messages to (e-mail address removed)

But if that is your actual email address, many apologies!

 

[Uri Guttman]

m> Dang.
m> I thought it would only send arbitrary messages to (e-mail address removed)

wrong.

what if someone sent this in the to: from field:

"(e-mail address removed)\nBCC:[email protected]\n"

you don't check the input for evil values. this is why taint (-T option)
is there.

uri

 

[Mumia W. (on aioe)]

Dang.

I thought it would only send arbitrary messages to (e-mail address removed)

But if that is your actual email address, many apologies!

Mr. Schwartz, Maxwells' program, in its current form, cannot do what you
say because the To: header is hardcoded.

In any case, there are 350,000 comcast machines currently running spam
software 1,000 times more sophisticated than anything Maxwells could write.

Maxwells, validate your input for correctness and don't top-post and
don't quote signatures and do read the posting guidelines for this
newsgroup: http://www.augustmail.com/~tadmc/clpmisc/clpmisc_guidelines.html

Have a good day all.

 

[Paul Lalli]

Mr. Schwartz, Maxwells' program, in its current form, cannot do what you
say because the To: header is hardcoded.

Mr. W, *you* should never be allowed near a CGI program either. The
above program prints USER-ENTERED DATA in the headers of the mail
message. This data is not verified before being printed. Just because
the *programmer* only put a hard-coded address as a To: header, does
not mean the data will not contain additional headers. You honestly
don't think a user could access this script providing a 's' parameter
of "(e-mail address removed)\nCC: (e-mail address removed)" ?

Paul Lalli

 

[John Bokma]

It does not mean one should provide another means of relaying spam. My
online contact form gets tested by spambots almost weekly.

You're lucky then. My comment form gets daily spam. Some is dropped early,
and what gets through is mostly reported, as it should in my opinion.

I know of at
least one crucial that had to be taken down after the IT department
responsible for it ignored my warning regarding exactly this
vulnerability. (Their justification: No one would bother exploiting
this).

Yup, I hear that often: my site is just small, and I get just 20 visitors
a day. They forget that the 20 visitors consist of: them, a friend, a
family member, and 17 bots, of which 13 are looking for email addresses to
spam and forms to dump links in.

With not much effort one can find guestbooks holding 1400 spam links. All
simple, and small sites, so small that the owners forgot about them :-(

 

[Mumia W. (on aioe)]

You and Mr. Schwartz were right. I was wrong. Anything can end up in the
$sender, and that means that anything can end up in the From: header.

Paul

I am not seeing this behavior in my testing of what you state. All I
get is an email with a sender which has the following format.

"(e-mail address removed):spam_address"@example.com

Does the spamming problem you speak of go away if using a module like
Mail::Sender? I am assuming Mail::Sender may do some form of validity
checking (tainting) according to the RFC's.

Be prepared to do your own validity checking.

 

[maxwells]

Dear Everybody,

It is a learning experience just reading over the reactions to my
rather naive posting.

I tried out the method uri warned me about, putting an equivalent to

"(e-mail address removed)\nBCC:[email protected]\n"

as the address of the sender, and Perl responded like this:

"Forbidden
You don't have permission to access /cgi-bin/mailer.pl on this
server.

Additionally, a 404 Not Found error was encountered while trying
to use an ErrorDocument to handle the request."

uri, sinan, paul and others are right - there is a major security risk
here, although Perl seems to block it somehow.

I am going to try the textarea hack suggested by sinan to see if this
gets through

max

 

[Paul Lalli]

I am not seeing this behavior in my testing of what you state. All I
get is an email with a sender which has the following format.

"(e-mail address removed):spam_address"@example.com

You seem to be under the very bizzare (and very wrong) impression that
the form which was designed to contact this CGI script is the only way
to contact the CGI script.

That, or you just neglected the \ before the n. One of the two.

Does the spamming problem you speak of go away if using a module like
Mail::Sender?

Of course not. This is programmer stupidity, not code stupidity.

I am assuming Mail::Sender may do some form of validity
checking (tainting) according to the RFC's.

What? Why would Mail::Sender do any taint checking? And what does
taint checking have to do with the RFC's? And what do the RFC's have
to do with this problem?

Paul Lalli

 

[maxwells]

Using the technique suggested by A. Sinan Unur, reauthoring the form to
send the recipient's address as a <textarea> with a BCC: line results
in

"Forbidden
You don't have permission to access /cgi-bin/mailer.pl on this
server. "

Once again this is not to defend to my Perl script, which is wholly
inadequate, but it does make me marvel at Perl's resiliousness

 

[Charlton Wilbur]

JB> Yup, I hear that often: my site is just small, and I get just
JB> 20 visitors a day. They forget that the 20 visitors consist
JB> of: them, a friend, a family member, and 17 bots, of which 13
JB> are looking for email addresses to spam and forms to dump
JB> links in.

$work wanted forums that anyone could register for, so I set up YABB.
$manager complained that it was too difficult to register -- one must
wait for an email response and click on a link in it to verify one's
email before one may post. I showed the logs -- we have about fifteen
spammers attempting to register for every one valid user who tries.

Charlton

 

[maxwells]

Do regular form submissions

work?

yes, only submissions with a new line or a <textarea> as sender are
rejected

the web server is Apache/1.3.34

 

[John Bokma]

JB> Yup, I hear that often: my site is just small, and I get just
JB> 20 visitors a day. They forget that the 20 visitors consist
JB> of: them, a friend, a family member, and 17 bots, of which 13
JB> are looking for email addresses to spam and forms to dump
JB> links in.

$work wanted forums that anyone could register for, so I set up YABB.
$manager complained that it was too difficult to register -- one must
wait for an email response and click on a link in it to verify one's
email before one may post. I showed the logs -- we have about fifteen
spammers attempting to register for every one valid user who tries.

There is software for sale that, according to the description, takes care
of this as well. Some time ago I even saw a request for people to solve
CAPTCHAs. If I recall correctly the best bid for one week of work was 50
USD or so.

 

[Tad McClellan]

Randal L. Schwartz wrote:

I thought it would only send arbitrary messages to (e-mail address removed)

^^^^^^^^^

That is why Randal pointed it out to you, because you are not thinking
correctly. (and you seem determined to keep it that way.)

But if that is your actual email address, many apologies!

If you do not understand how it can be used to send to *arbitrary*
addresses, then *ask* how.

Being flippant about aiding spammers is a good way to become ignored.

So is top-posting and full-quoting.

So long!

 

[Mumia W. (on aioe)]

Using the technique suggested by A. Sinan Unur, reauthoring the form to
send the recipient's address as a <textarea> with a BCC: line results
in

"Forbidden
You don't have permission to access /cgi-bin/mailer.pl on this
server. "

Once again this is not to defend to my Perl script, which is wholly
inadequate, but it does make me marvel at Perl's resiliousness

I tried it two ways, and the exploit works.

First, the hacker can use a script to create the malformed post request
like so:

#!/usr/bin/perl
use strict;
use warnings;
use Fatal qw(open close);

my $localhost = "$ENV{PAGES_ROOT}/trymail.cgi";
my $postreq =
'[email protected]%0ACC:[email protected]
&m=This is a message.
';

open (my $lynx, "|-", "lynx -post_data $localhost");
print $lynx $postreq;
close $lynx;

__END__

Notice that a newline character, %0A, was put into the line. The spam
victim was specified by a CC: header.

And re-writing the HTML form to use a textarea for the "from" data also
works if you enter this:

------------cut---------
(e-mail address removed)
CC:spamvictim.example.com
------------cut---------

Anyway, once it's been established that anything can be put into the
headers, *anything* can be put into the headers.

That includes a 2000-byte block of binary data that causes sendmail to
crash while leaving a shell open on a port.

:-(

Validate your input. Perhaps Regexp::Common::Email::Address could be of
some help.

 

[Josef Moellers]

maxwells> #!/usr/bin/perl -w
maxwells> use CGI;
maxwells> $query = new CGI;
maxwells> $sender = $query->param('s');
maxwells> $message = $query->param('m');

maxwells> $mailprog = '/usr/lib/sendmail';
maxwells> open(MAIL,"|$mailprog -t");
maxwells> print MAIL "To: donald\@duck.com\n";
maxwells> print MAIL "From: $sender\n";

This code can be used to send arbitrary spam to arbitrary addresses.

Please stop using it immediately, and learn enough about computer
security to fix it. Or hire someone who knows.

But in any event, YOU having THAT script on the net can harm ME
and MY FRIENDS. So please remove it.

With all due respect, but this is not quite justified.
There is nothing in maxwells post that implies that his script will be
accessable from the outside. It could very well be that he will be
running it inside his private network or within the intranet of his
school/company.
Even if (and I suffer from spam myself), I doubt that it will make that
much of a difference.

Josef