[triangle-zpug] zp hacked by spambot

Fri Mar 30 16:19:02 CEST 2007

On Mar 30, 2007, at 9:47 AM, Geoff Davis wrote:

> Frank,
>
> This sounds like an approach spammers have taken in the past.  Here's
> the gist of it:
>
> The data sent to your SMTP server looks something like this
>
> To: recipient at address.com
> From: sender at otheraddress.com
> Subject: subject here
>
> message body
>
> One thing spammers have done in the past is to insert carriage
> returns into the To: or From: fields.  They can then change the
> headers that your SMTP server gets.  For example, if I use as my
> "From" address, "31337 at spammer.com\nBcc: recipient1 at mail.com,
> recipient2 at mail.com...", then the mail server will get
>
> To: recipient at address.com
> From: 31337 at spammer.com
> Bcc: recipient1 at mail.com, recipient2 at mail.com,...
> Subject: subject here
>
> message body

Exactly right. Google for "email header injection" and you'll find lots 
of people tearing their hair out over this one. Here's an article I 
sent to a friend earlier this month who was having the same problem 
with a form on her site:
http://www.securephpwiki.com/index.php/Email_Injection

You need to scrub this little monster:

>>> l_email=request.get('email')

Good luck
Philip

>
> There's code in Plone that filters such things out, but perhaps
> zm_sendMail doesn't call it.  I think the filtering code is something
> like secure_sendmail in PloneTool.
>
> Geoff
>
> On Mar 30, 2007, at 9:38 AM, Stephan Altmueller wrote:
>
>> Hi Frank,
>>
>> I don't fully understand how the bcc field could be inserted, it's not
>> used in any of the
>> code below (unless the "zm_sendMail" script/function reads it from the
>> request object).
>>
>> If this is a basic "Script (Python)" script then the fundamental
>> problem
>> is that it uses
>> unvalidated request parameters. You could replace it with a form
>> controller script (.cpy)
>> and add a validation (.vpy) script via the metadata that validtes all
>> parameters.
>>
>>        - Stephan
>>
>> Dimauro, Frank wrote:
>>> One of our python scripts that was sitting in our custom skins folder
>>> (developed by Cignex to serve as the basis script that handles our
>>> email
>>> forms) was exploited by a spammer and caused a whole mess of spam
>>> to be
>>> generated from our Exchange email server. The script was not in
>>> use but
>>> "someone somehow" knew it was there and exploited it. Here it is
>>> below.
>>> We have since turned off smtp port 25 on the server and our email
>>> forms
>>> are dormant. Can anyone suggest a fix that will prevent future
>>> hijack?
>>> The spammer added a bcc: field to the form and bcc'd the spam to
>>> thousands. The giveaway was the MIME header on one of the relayed
>>> emails
>>> that listed the email l_mail_to
>>> ='mohammad_ismail at akebonosoft.com'...ismail was a cignex contract
>>> employee who was one of the original developers of our site...
>>>
>>> Frank DiMauro
>>>
>>> "Our Age of Anxiety is, in great part, the result of trying to do
>>> today's jobs with yesterday's tools."
>>> -M.McLuhan
>>>
>>> #####################################################################
>>> ##
>>> ## Script (Python) "zp_contactus"
>>> ##bind container=container
>>> ##bind context=context
>>> ##bind namespace=
>>> ##bind script=script
>>> ##bind subpath=traverse_subpath
>>> ##parameters=
>>> ##title=
>>> ##
>>> #
>>> ---------------------------------------------------------------------
>>> ---
>>> ------------------------
>>> #  Name:  zp_contactus
>>> #
>>> #  Purpose : Sends contact information
>>> #
>>> #  Mandatory REQUEST parameters: None
>>> #
>>> #  Optional REQUEST parameters: None
>>> #
>>> #  Development History:
>>> #   Date          Author     Description
>>> #   -----------   -------    --------------
>>> #   04/24/2004    CIGNEX     Created
>>> #
>>> ---------------------------------------------------------------------
>>> ---
>>> ------------------------
>>>
>>> request = container.REQUEST
>>> RESPONSE =  request.RESPONSE
>>>
>>> # Determine - whom to send the mail
>>> l_mail_to ='mohammad_ismail at akebonosoft.com'
>>> l_email=request.get('email')
>>>
>>>
>>> # Form the mail subject
>>> l_mail_subject = "UNCH - Contact Us form"
>>>
>>> # Form the mail body
>>> l_body = '\n'
>>> l_body = l_body + 'Name = ' + request.get('name') + '\n'
>>> l_body = l_body + 'Address = ' + request.get('address') + '\n'
>>> l_body = l_body + 'Phone Number = ' + request.get('phone') + '\n'
>>> l_body = l_body + 'Email = ' + request.get('email') + '\n'
>>> l_body = l_body + 'Comments = ' + request.get('comments') + '\n'
>>>
>>> # Result page Object
>>> l_resultPage = container['zpt_confirmation']
>>>
>>> # send form in email
>>> context.zm_sendMail(context,
>>>            mail_from=l_email,
>>>            mail_to=l_mail_to,
>>>            mail_subject=l_mail_subject,
>>>            mail_body=l_body)
>>>
>>> # show result page
>>> url = 'http' + context.absolute_url()[4:]
>>>
>>> target= '%s/%s?p_message=%s&p_heading=%s' % (url, 'l_resultPage',
>>>         'We will go through your feedback and get back to you soon.',
>>>         'Thanks for contacting us')
>>>
>>> return context.REQUEST.RESPONSE.redirect(target)
>>>
>>>
>>>
>>> _______________________________________________
>>> triangle-zpug mailing list
>>> triangle-zpug at starship.python.net
>>> http://starship.python.net/mailman/listinfo/triangle-zpug
>>>
>>
>>
>> -- 
>> --------------------------------------------------------
>> Stephan Altmueller
>> Applications Analyst
>> OASIS - Office of Arts and Sciences Information Services
>> University of North Carolina at Chapel Hill
>> Phone: 919-962-4205
>> Email: stephan_altmueller at unc.edu
>>
>>
>> _______________________________________________
>> triangle-zpug mailing list
>> triangle-zpug at starship.python.net
>> http://starship.python.net/mailman/listinfo/triangle-zpug
>>
>
>
> _______________________________________________
> triangle-zpug mailing list
> triangle-zpug at starship.python.net
> http://starship.python.net/mailman/listinfo/triangle-zpug
>