Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Apps :: web5031.htm

FormMail anonymous mail forwarding



25th Jan 2002 [SBWID-5031]
COMMAND

	FormMail anonymous mail forwarding

SYSTEMS AFFECTED

	FormMail 1.9

PROBLEM

	From Ronald F. Guilmette  <rfg@monkeys.com>  &  Infinite  Monkeys
	&  Co.  Justin  Mason   <jm+fma@jmason.org>   -   maintainer   of
	SpamAssassin                                                  whitepaper
	http://www.monkeys.com/anti-spam/formmail-advisory.ps] :
	

	This advisory describes various methods and mechanisms  for  the  remote
	abuse of the widely-used FormMail script, version 1.9, to send  arbitrary
	e-mail messages to arbitrary recipients  without  the  consent  of,  and
	against the wishes and intentions of those who have  installed  the  script
	on their web servers. Essentially all of the exploits  described  herein
	are also applicable to  ear- lier (pre-1.9) versions of FormMail.
	

	General information on the widely-used free FormMail CGI script  may  be
	found at the following URL:
	

	     http://worldwidemart.com/scripts/formmail.shtml

	

	

	Impact

	

	By manipulating inputs to the FormMail CGI script, remote users  may  abuse
	the functionality provided by FormMail to cause the local mail server  on
	the same (web) server system to send arbi- trary e-mail messages  to  arbitrary
	e-mail destination addresses. Such e-mail messages may contain  real  or
	forged sender e-mail  addresses  (in  the  From:  headers)  entirely  of
	the attacker\'s choosing. In some cases, the envelope  sender  addresses
	of  such messages may also be set to arbitrary values by the attacker.
	

	When and if the vulnerabilities described below do exist (which is  dependent,
	in some cases, upon script installation configura- tion choices  and  web
	server  configuration  choices)  and  when  and  if  they  are  in  fact
	exploited by an outside attacker,  message  recipients  will  have  only
	incomplete e-mail tracing information available in  the  message  e-mail
	headers. This incomplete tracing information  will  lead  back  only  as
	far as the web server that hosts the FormMail  script.  The  IP  address
	actually used to ini- tiate the messages will not  be  available  to  these
	recipients. The originating IP address of the attacker may  or  may  not
	be available (in local web server logs)  to  the  administrator  of  the
	exploited web server, depending on local web server logging, log file  retention
	policies, and the length of time that elapses between  exploitation  and
	the time the local administrator becomes aware of the  exploitation.  (Of
	course, even in cases where  web  server  logs  are  available,  tracing
	information contained therein may perhaps allow  tracing  of  the  attacker
	only as far back as whatever anonymizing HTTP proxy the attacker used.)
	

	

	Notification

	

	We have followed the notification guidelines laid out in:
	

	     http://www.wiretrip.net/rfp/policy.html

	

	with respect to this advisory.  Both  authors  of  the  present  advisory
	attempted to contact the FormMail maintainer via  the  e-  mail  address
	given on the FormMail home  page  more  than  five  working  days  prior
	to publication of this advisory. No response  from  the  maintainer  was
	forthcoming. Attempt were also made to contact the maintainer  via  telephone
	but were unsuccessful.
	

	

	Background

	

	The FormMail script has a  long  and  unenviable  history  with  regards
	to security issues. Originally intended as a  helpful  free  CGI  script,
	usable in the construction of simple interactive `contact us\' type  web
	forms, it was  originally  created  and  distributed  July  9,  1995  and
	subsequently underwent several  revisions  culminating  in  version  1.6
	which was released May 2, 1997. The  1.6  version  became  widely  used,
	and copies of the 1.6 version are still installed  and  publicly  accessible
	in  many locations at the present time.
	

	Sometime between the release of the 1.6 version of FormMail  and  March,
	2001, various Internet users became aware that  spammers  were  exploiting
	the relatively modest and weak security checks within  the  1.6  version
	to send large quantities of  unsolicited  `spam\'  e-mail  to  large  numbers
	of recipients via exploited FormMail scripts. In effect,  spammers  were
	using  the  exploited  FormMail  scripts  in  ways  that  rendered  them
	functionally  equivalent  to  anonymizing  open  e-mail  relay  servers.
	Eventually,  someone  filed  a  public  security  advisory  regarding  these
	exploitations and the now evident security  problems  with  the  FormMail
	script.[1] Later reports indicated a  belief  that  spammers  were  actively
	searching the net for exploitable FormMail scripts.[2] At least two  different
	parties have apparently been motivated (by FormMail\'s evident  security
	problems) to create and  distribute  their  own  independently-developed
	versions of FormMail which allegedly close the security loopholes.[3]
	

	Subsequent to the release of the 1.6 version of the script, 1.7  and  1.8
	versions were also released.  On  his  web  site,  the  FormMail  author
	himself  notes  that  these  versions  have  unspecified   (and   perhaps
	different; see footnotes) security vulnerabilities, and that  all  users
	should upgrade to version 1.9 ``IMMEDIATELY\'\'.
	

	Version 1.9 of FormMail was released by its author on  or  about  August
	3, 2001, according to the comments  in  the  script.  This  version  has
	been alleged to rectify the various  previously  identified  security  issues
	with FormMail, including its prior ability to  be  manipulated  into  behaving
	like an anonymizing open mail relay.[4]
	

	

	Pre-1.9 Exploitation

	

	Exploitation of FormMail versions prior to 1.9  for  the  forwarding  of
	e-mail messages which have been effectively anonymized[5]  was  rendered
	trivial by the script\'s total reliance on  information  transmitted  by
	the web client to the web server (and hence to the FormMail CGI  script)
	for both authentication of the request and  for  specification  of  recipient
	e-mail  address(es)  for  each message.
	

	FormMail\'s authentication of incoming requests, such  as  it  was  (and
	is, in version 1.9), is limited to the following  rather  rudimentary  check
	on the HTTP_REFERER environment variable passed to the script  from  the
	local web server. (The web server, in its turn, obtains this value  from
	the Referer: HTTP  header  supplied by the HTTP client.)
	

	

	if ($ENV{\'HTTP_REFERER\'}) {

	    foreach $referer (@referers) {

	        if ($ENV{\'HTTP_REFERER\'} =~ m|https?://([^/]*)$referer|i) {

	            $check_referer = 1;

	            last;

	        }

	    }

	}

	else {

	    $check_referer = 1;

	}

	

	

	Note that further up in the script, the  original  script  installer  is
	required to have defined the @referers  array  to  a  list  of  strings,
	each of which is supposed to be a domain name or  IP  address.  These  domain
	names and/or IP addresses are, by  their  inclusion  in  the  installer-supplied
	definition of @referers, effectively authorized to run web servers  that
	will serve up HTML pages containing HTML forms that  may  work  with  this
	specific locally-installed copy of FormMail.  So,  for  example,  if  the
	local FormMail installer had wanted to limit the script\'s usage so  that
	it could only be  used  in  conjunction  with  HTML  forms  resident  on
	the web servers  known  as  www.example.com  and  www.example2.com  then
	the installer would have previous defined the @referers array as  follows:
	

	     @referers = (\"www.example.com\", \"www.example2.com\");

	

	There exist several ways to easily bypass  and  circumvent  the  HTTP_REFERER
	checking code shown above. The most obvious way,  and  the  way  that  most
	attackers will certainly  use  is  simply  to  decline  to  provide  any
	Referer: header at all as part of the HTTP request. In such  cases,  the
	attacker  will  effectively  ``pass\'\'  the   HTTP_REFERER   validation
	test[6], and the remainder of the FormMail script will  then  be  executed.
	

	Even though it is clear that  the  simplest  and  easiest  way  to  cir-
	cumvent the HTTP_REFERER check in FormMail is simply  to  avoid  including
	any Referer: header in the HTTP request, for the  sake  of  completeness
	we would also like to note some other methods whereby  this  same  check
	could be circumvented even in programming contexts[7] where omission  of
	Referer: headers may  be  difficult or impossible to achieve.
	

	Specifically, it should  be  noted  that  the  Perl  regular  expression
	matching attempt:
	

	     $ENV{\'HTTP_REFERER\'} =~ m|https?://([^/]*)$referer|i

	

	is not left-anchored prior to the https?: scheme  specification  nor  is
	it right-anchored after the $referer domain name.
	

	The lack of left-anchoring prior to the https?: scheme  specifica-  tion
	portion of the regular  expression  allows  an  attacker  to  ``pass\'\'
	this  simple-minded  HTTP_REFERER  validation  test  as  long   as   the
	HTTP_REFERER value (set from the HTTP Referer: header) is some  URL  containing
	a match for the regular expression anywhere within its entire length.
	

	An attacker may easily exploit this lack  of  left-anchoring  by  simply
	loading, and then submitting an HTML form to the  desired  FormMail  CGI
	from the attacker\'s own local web server using a  extended  `spoof\'  URL
	which contains a substring matching the reg- ular  expression  somewhere
	within the entire URL string.  The  matching  substring  may  be  presented
	as part of the right context  of  the  complete  URL,  and  specifically
	within a portion of the URL that will, by convention, be  ignored  by  many/most
	web servers when loading a page corresponding  to  the  given  URL.  For
	example, the following URL:
	

	     http://www.attacker.tld/myform.html?http://www.victim.com/

	

	if included as the URL in an HTTP  GET  request  will  typically  result
	in the HTTP client receiving a copy of the same web page that would  have
	been obtained if the requested URL had been just:
	

	     http://www.attacker.tld/myform.html

	

	because a typical web server will simply ignore the trailing  por-  tion
	of the URL past the question mark.[8] Typical HTTP clients on the  other
	hand, if asked to perform such a GET operation, will do so (with  the  help
	of the relevant web server) but will then preserve the  entire  original
	request URL and will later present that  as  the  Referer:  value,  when
	and if some HTML form on the page is the subject of a submit operation.
	

	The HTTP client\'s preservation of the entire URL, including the  trailing
	`spoof\' substring, allows most typical HTTP clients to  trivially  pass
	FormMail\'s simple-minded HTTP_REFERER validation test even if the  attacker
	has neither built nor obtained any HTTP client software that allows  for
	suppression of Referer: head- ers[9], and even if he is writing  his  own
	attack software in some language (e.g. Javascript) that otherwise  makes
	the implementa- tion of  attacks  on  web  CGIs  particularly  easy  and
	convenient.
	

	The lack of right-anchoring after the $referer portion  of  the  regular
	expression may also be exploited by an  attacker  wishing  to  create  a
	modified FormMail HTML submission form on a web server of his  own  choosing.
	This may be more  difficult  than  exploiting  the  lack  of  left-anchoring
	however, and may perhaps  only  be  achievable  with  the  aid  of  some
	cooperative DNS server. Given the availability of such a server  however,
	a DNS `A\' record could easily be defined for an fully-qualified  domain
	name  such as:
	

	     www.victim.com.attacker.tld

	

	and that `A\' record could be defined with an IP address of  the  attacker\'s
	choosing. In this case, the  attacker  could  easily  load  his  malevolent
	locally-installed HTML exploit form (which has its  ACTION=  clause  set
	to point to the victim\'s FormMail) into his browser via a  URL  such  as:
	

	     http://www.victim.com.attacker.tld/myform.html

	

	The attacker could then simply submit the  form  and  it  would  `pass\'
	the simple FormMail HTTP_REFERER validation check.
	

	Note  that  all  three  methods  for  circumventing  FormMail\'s  HTTP_REFERER
	validation remain present in the current (1.9) ver- sion of the  script,
	i.e. (1) complete  omission/suppression  of  Referer:  headers  and  (2)
	exploitation of the lack of right- anchoring and (3) exploitation of  the
	lack of left-anchoring.
	

	Once  an  attacker  has  passed  the   easily   circumventable   HTTP_REFERER
	validation check, he then has a mostly free  hand  to  manipulate  other
	CGI (form input) variables in order to direct an e-mail message  of  his
	choice to some selected destination address or addresses.
	

	FormMail  obtains  the  desired  destination  e-mail  address  for  each
	transmitted e-mail message  from  the  HTTP  client.  The  HTTP  client,
	in turn, is expected to obtain it from the pre-defined  value  of  a  hidden
	HTML form field (recipient) within a form  (or  forms)  associated  with
	the specific web site/server where  a  given  instance  of  FormMail  is
	installed. Obviously however, if (as we have seen above) it  is  trivial
	to trick FormMail into believing that  some  attacker-created  form  which
	actually resides  on  some  arbitrary  web  server  of  the  attacker\'s
	choosing is a valid ref-  erer,  then  attackers  can  certainly  manufacture
	(or simulate) forms with the recipient form field set to  any  e-mail  address
	desired.
	

	These are the conditions which led to earlier reports of FormMail  being
	exploited, generally by bulk e-mail spammers, as if it were  a  kind  of
	anonymizing open e-mail relay server. The fundamental problem  was  that
	the HTTP_REFERER checking could be  easily  spoofed,  and  that  the  pre-1.9
	versions of FormMail performed no validation checking  of  any  kind  on
	the recipient CGI parameter. Attackers were thus allowed to set  this  parameter
	to any desired value.
	

	Version 1.9 of FormMail incorporated changes whose purpose was to  allow
	the actual destination e-mail addresses (i.e. the value  given  for  the
	recipient CGI parameter) for any submitted message to  be  restricted  by
	checkingthem against  an  installer-supplied  list  of  ``acceptable\'\'
	recipient e-mail addresses and/or recipi- ent domains. As noted below  however,
	these changes did not fully achieve their goal. That  unfortunate  fact,
	together with the multiple flaws in HTTP_REFERER checking  (all  of  which
	are still present in the 1.9 version) imply that even  the  current  1.9
	ver- sion of FormMail can still be used and abused for spamming, for  e-mail
	harassment, or other  purposes  neither  condoned  or  intended  by  the
	FormMail installer.
	

	

	Anonymous Mail Forwarding Exploits in FormMail 1.9

	

	As noted above, versions  of  FormMail  up  to  and  including  1.8  are
	believed to be vulnerable to various security  exploits,  including  but
	not limited to creative generation of  HTTP  header  and  message  data,
	leading to an installed FormMail CGI script at a targeted site  behaving
	like  an  anonymizing  open  e-mail  relay.  At  present,  spammers  are
	continuing and increasing their abuse of  such  ear-  lier  versions  of
	FormMail, especially the widely deployed 1.6 version, at  various  sites
	where these earlier versions are,  unfortunately,  still  installed.[10]
	

	This advisory describes various vulnerabilities in version  1.9  of  the
	FormMail script that may also lead to misuse and abuse of the script  by
	remote attackers to achieve an effect functionally equivalent to  an  anonymizing
	open e-mail relay server.
	

	Note that many, if not most of these exploits were also present in  versions
	of FormMail prior to the 1.9 version, and thus it  may  be  fairly  said
	that the exploits described herein are not in any sense new to  the  1.9
	version. For the sake of brevity however, we report  these  problems  as
	vulnerabilities in the 1.9 version.
	

	The vulnerabilities described herein may be broadly  separated  into  the
	following   categories:   (1)   creative   recipient   addressing,   (2)
	exploitation of the email and realname CGI parameters, (3)  other  regular
	expression  matching  issues,  and  (4)  mail-bombing  by  proxy   using
	FormMail. These vulnerability categories are each  described  in  separate
	sections below.
	

	

	Creative Recipient Addressing

	

	The preceding section noted that FormMail 1.9 suffers from the  same  HTTP_REFERER
	validation flaws as earlier versions of the  script,  thus  forcing  the
	prevention of unauthorized use/misuse of the script to rely entirely  on
	the code added in 1.9 which  attempts  to  validate  client-supplied  recipient
	e-mail addresses. These added checks contain a number of subtle and  not-so-subtle
	flaws however, any one of which, if exploited, renders  the  check-  ing
	code useless and ineffective.
	

	Briefly, the  recipient  address  checking  code  added  in  1.9  merely
	attempts to ensure that each comma-separated substring  of  the  client-specified
	recipient string matches (with right-anchoring only, and without case  sensitivity)
	one of a set of strings spec- ified  by  the  person  who  installs  the
	FormMail script. The array called @recipients is used to hold these  (valid
	recipient address or domain) strings and each  comma-delimited  substring
	of the client-supplied recipient CGI parameter string is checked to  see
	that it matches  (right-anchored)  at  least  one  of  these  installer-
	specified ``approved\'\' recipient address or domain strings.
	

	As long as this check `passes\', for any  given  comma-separated  substring
	of the recipient value, that substring will be saved in yet another  array
	(@send_to), and later on, all elements of the  ``validated\'\'  @send_to
	array are join\'d back together, with comma separators, and  the  resulting
	string replaces the old, unvali- dated recipient  CGI  parameter  value.
	That value is then later used (when writing  e-mail  headers  to  the  local
	mail server) in the following Perl statement:
	

	     print MAIL \"To: $Config{\'recipient\'}\\n\";

	

	So, for example, if the installer of the script had provided  a  definition
	of @recipients like:
	

	     @recipients = (\'pres\\@elsewhere.tld\', \'ourdomain.tld\');

	

	then all of the following client-supplied recipient addresses, if  given
	by the HTTP client, either alone or as elements of  a  comma-  separated
	list of recipient addresses, would ``match\'\' some  ele-  ment  of  the
	@recipients array definition shown above, and would thus be  allowed  as
	valid recipient addresses:
	

	     pres@elsewhere.tld

	     PRES@elsewhere.tld (See note #1)

	     vice-pres@elsewhere.tld  (See note #2)

	     Professor.Plum@ourdomain.tld

	     Norma.Desmond@nostalgia.ourdomain.tld

	     user%somewhere.tld@ourdomain.tld  (See note #3)

	     user@somewhere.tld(ourdomain.tld  (See note #4)

	     user@somewhere.tld(pres@elsewhere.tld  (See notes #2, #4)

	     <user@somewhere.tld>ourdomain.tld (See note #5)

	     <user@somewhere.tld>user@ourdomain.tld (See note #6)

	     <user@somewhere.tld>pres@elsewhere.tld (See notes #2, #6)

	

	Unfortunately, some of the  ``acceptable\'\'  strings  shown  above,  if
	crafted by an attacker and then used within a spoofed/fraudulent HTTP  request
	may lead to undesirable  consequences,  i.e.  the  for-  warding  of  an
	associated e-mail message  to  some  recipient  (or  recipients)  having
	e-mail addresses that the installer never intended to allow  as  FormMail
	message recipients.
	

	Several notes regarding the example strings shown above  are  in  order:
	

	

	  1.  Comparison  of each comma-separated sub-part of the client-

	      supplied recipient string is performed without case  sensi-

	      tivity.   On systems where the initial (user ID) portion of

	      e-mail addresses is  considered  case-sensitive,  this  may

	      allow  misuse  of FormMail to send e-mail messages to unin-

	      tended recipients having e-mail addresses with  alternative

	      case  on  the same system.  Worse however, this possibility

	      opens up a hole that might perhaps allow a remote  attacker

	      to misuse an installed FormMail script in a way that avoids

	      immediate detection by any local user or administrator.  We

	      will return to this point below.

	

	  2.  In  fairness  to  the FormMail author, the README file sup-

	      plied with FormMail version  1.9  explicitly  and  strongly

	      suggests  that installers should prefix any and all full e-

	      mail addresses they include within the  definition  of  the

	      @recipients  array with the up-caret (^) character, thereby

	      causing subsequent regular expression  matching  for  those

	      strings  to  be anchored both on the left and on the right.

	      Following that suggestion  would  certainly  eliminate  the

	      potential  exploits  noted  above  that refer to this note.

	      Anyone following the FormMail author\'s advice  with  regard

	      to  1.9  installation  would have written their @recipients

	      definition as follows:

	

	      @recipients = (\'^pres\\@elsewhere.tld\', \'ourdomain.tld\');

	

	      rather than the way it  was  written  further  above,  thus

	      eliminating  such  obvious potential problems as being able

	      to trick FormMail into sending unauthorized e-mail messages

	      to  vice-pres@elsewhere.tld.  As we have already noted how-

	      ever, even when each and every element  of  the  installer-

	      defined  @recipients  array is set to a full e-mail address

	      (as opposed to merely a domain name) and even when each  of

	      the  e-mail  addresses  in  question  is left-anchored, the

	      check for correspondence between client-supplied  recipient

	      addresses  and the installer-defined set of allowed recipi-

	      ent addresses is performed in a  case  insensitive  manner.

	      We will return to this issue below.

	

	  3.  Although  the  recipient  parameter provided to FormMail by

	      the HTTP client will  have  newlines  and  carriage  return

	      characters,  if  present, removed by FormMail, and although

	      the recipients string is separated into a set of comma-sep-

	      arated  substrings  before the recipient address validation

	      occurs, no other validation of the form, format, or  syntax

	      of  the  recipient  address(es)  is performed.  This leaves

	      open the possibility of  using  the  old  and  widely-known

	      Sendmail  percent  hack[11]  form  of e-mail addressing, at

	      least in cases where one or more of  the  elements  of  the

	      @recipients array are just domain names, as opposed to full

	      e-mail addresses.

	

	      To understand fully why use of the percent hack  is  almost

	      guaranteed to work in such cases, one must understand that:

	

	         o FormMail is  designed  to  work  in  conjunction  with

	           either  Sendmail or with some work-alike program, such

	           as Postfix, and we may thus assume that whatever  mail

	           server  FormMail is hooked up to will almost certainly

	           be one that does support  the  percent  hack  form  of

	           addressing.

	

	         o In  normal  (non-exploit)  operation,  the mail server

	           resident on the  same  host  as  the  FormMail  script

	           itself  will  (unless  the  administrator  has botched

	           either his Sendmail configuration or his FormMail con-

	           figuration)  accept  all  ``locally generated\'\' e-mail

	           messages  coming  out  of  the  FormMail  script   and

	           addressed  to any e-mail address whose @domain part is

	           the same as of any one of the domains  listed  in  the

	           @recipients  array.   Thus, in the preceding examples,

	           we can usually be sure that the local mail  server  on

	           the FormMail host will not disallow or reject any such

	           ``locally-generated\'\' e-mail message that is addressed

	           to  user%somewhere.tld@ourdomain.tld  because  it will

	           see  that  the  domain  portion  of  this  address  is

	           ourdomain.tld.   That alone will probably be enough to

	           satisfy Sendmail that it should accept (and, if neces-

	           sary,  forward) the mail message in question.  Also, a

	           typical Sendmail installation, even a modern one, will

	           usually not itself object to any kind of forwarding of

	           any ``locally-generated\'\' e-mail message to any  other

	           domain  or site, because it is typical to assume (when

	           configuring Sendmail) that ``local\'\'  e-mail  origina-

	           tors  can  be fully trusted, at least to send outgoing

	           e-mail to other sites.  (Note that FormMail is  acting

	           in  the  role  of a ``local\'\' and trusted user in this

	           case.)  So an attacker really only needs to  get  past

	           FormMail\'s  check  on  HTTP_REFERER (which, as we have

	           seen, is trivial to do) and then, if he can  also  get

	           past  FormMail\'s  check  of the right-most part of the

	           recipient  address  string(s)  against  the  @referers

	           array  he  will  be  able  to  send e-mail messages to

	           essentially any e-mail address anywhere on the  Inter-

	           net.   As illustrated by the example above, use of the

	           percent hack form  of  e-mail  addressing  allows  the

	           attacker to get past the latter check.

	

	  4.  RFC 2822, like RFC 822 before it, specifies that within the

	      text of so-called structured mail headers (e.g.   To:)  any

	      string  enclosed within matching left and right parenthesis

	      shall be taken as being  purely  commentary  material,  and

	      shall  be ignored.  Thus, if an attacker provides a recipi-

	      ent string of the form:

	

	           user@somewhere.tld(ourdomain.tld

	

	      and if that  string  passes  the  (right-anchored)  regular

	      expression  matching check (i.e. matching at least one ele-

	      ment of the @recipients array),  then  a  To:  header  line

	      like:

	

	           To: user@somewhere.tld(ourdomain.tld

	

	      will  be  generated by FormMail and passed to Sendmail.  In

	      such a case, Sendmail should take  everything  between  the

	      left parenthesis and the corresponding right parenthesis as

	      a comment, thus leaving it with only the user@somewhere.tld

	      address to act on.  However in this case, there is no clos-

	      ing right parenthesis before the end of the header line, so

	      this would appear to be a case where the actual behavior of

	      the mail server cannot be predicted.  In practice  however,

	      both  Sendmail  and Postfix helpfully and implicitly supply

	      the missing closing right parenthesis themselves, with  the

	      result  being  that  the  (ourdomain.tld portion of the To:

	      header   is   in   fact   ignored,   leaving    only    the

	      user@somewhere.tld part to define the actual e-mail recipi-

	      ent address.

	

	  5.  For a client-supplied recipient string of the form:

	

	           <user@somewhere.tld>ourdomain.tld

	

	      Sendmail will subsequently be fed  the  corresponding  mail

	      header:

	

	           To: <user@somewhere.tld>ourdomain.tld

	

	      and  when  such a header is supplied to Sendmail along with

	      Sendmail\'s -t  (take  recipient  address(es)  from  message

	      headers) option, reports indicate that Sendmail will send a

	      copy of the message to user@somewhere.tld, and that it will

	      then ignore the remainder of the header line, i.e. the part

	      past the right (closing) angle bracket.  (This is  in  fact

	      entirely consistent with what the mail header parsing rules

	      contained in RFC 822 and 2822 would indicate  should  actu-

	      ally happen in such a case.)

	

	  6.  For a client supplied recipient string of the form:

	

	           <user@somewhere.tld>user@ourdomain.tld

	

	      it  would appear clear that if ourdomain.tld is included in

	      @recipients, then such a string will pass FormMail\'s recip-

	      ient  address acceptability check, and later, when Sendmail

	      is fed:

	

	           To: <user@somewhere.tld>user@ourdomain.tld

	

	      then Sendmail will most certainly send a copy of the  asso-

	      ciated    e-mail    message    at   the   very   least   to

	      user@somewhere.tld,     but      possibly      also      to

	      user@ourdomain.tld.   Reports suggest however that Sendmail

	      will ``parse out\'\' the latter e-mail address and  send  the

	      message only to the former address.  Even if the local mail

	      server used on a given victim server is one taht will parse

	      the  header  shown  above  and  then  send  to  both e-mail

	      addresses, an attacker could potentially choose some infre-

	      quently-  or  never-monitored  e-mail  address (such as the

	      traditional nobody user ID) within the targeted domain  and

	      use  that  e-mail  address to provide the right context for

	      his (spoof) recipient string.  That also will allow him  to

	      get past FormMail\'s recipient address acceptability checks.

	

	

	Exploitation of email and realname CGI Parameters

	

	As noted in the preceding section, clever manipulation  of  the  recipient
	CGI parameter when invoking  FormMail  1.9  can  allow  an  attacker  to
	bypass the recipient address checks imposed by  the  installer\'s  definition
	of the @recipients array, at least in cases where the installer  has  failed
	to define elements of this array  to  complete  e-mail  addresses  (i.e.
	when one or more ele- ments of the array is  just  a  domain  name)  and
	when and if the installer has failed to  left-anchor  (with  `^\')  each
	full e-mail address within the @recipients array definition. Even  in  cases
	where all elements of the @recipients  array  are  full  e-mail  addresses
	and where these are all left-anchored, an attacker may perhaps  still  be
	able to bypass FormMail\'s recipient address checks by exploiting  various
	weaknesses in FormMail\'s regular expression matching code, as  we  will
	show in the next section.
	

	Clever bypassing of the checks applied to  the  comma-separated  substrings
	of the recipient CGI parameter may however not even be necessary so  long
	as the attacker is willing to supply  cleverly  constructed  values  for
	the email and/or realname CGI parameters, and so long  as  the  attacker
	is willing to allow one copy  of  his  e-mail  message  to  go  to  some
	``permitted\'\'  recipient  address,   in   addition   to   some   other
	attacker-specified list of addresses.
	

	The email and realname CGI parameters  may  undergo  even  less  scrutiny
	by  FormMail  than  the   comma-separated   recipient   substrings.   In
	fact the email and realname CGI parameters  may  undergo  no  validation
	whatsoever. (The realname parameter  most  certainly  does  not  undergo
	any validation whatsoever within FormMail, and the email parameter  will
	not undergo any validation as long as it is not listed as a  required  field
	in the list of required form fields that is itself initialized from  the
	client- supplied value of yet another hidden form field. Given  that  an
	attacker, either a determined one or a hurried and careless one, will  most
	probably set the value of the required hidden form field to null  or  no
	value, we will just  simplify  the  remainder  of  our  presentation  by
	assuming, from here forward, that neither the email  CGI  parameter  nor
	the realname CGI  parameter  undergo  any validation.)
	

	One critical additional point to note here is that neither the  email  CGI
	parameter value nor the realname CGI parameter value are in any  way  ``cleaned
	up\'\' by FormMail before they are printed to the local mail server.  Specifically,
	the values of these variable do not have carriage  returns  or  newlines
	removed before they are given to the mail server.
	

	Once they have been supplied by the HTTP client, both the email and  realname
	CGI parameter values are printed, verbatim and with- out  filtering,  to
	the local mail server via  the  following  Perl statement:
	

	     print MAIL \"From: $Config{\'email\'} ($Config{\'realname\'})\\n\";

	

	One\'s first thought upon seeing this statement is that the lack  of  filtering
	or validation applied to the email and realname  CGI  parameters  cannot
	possibly be harmful, given the benign  context  (i.e.  a  From:  header)
	within which these values will appear. That thought would be  misleading
	however, because of the lack of  newline  removal  for  these  parameter
	values.
	

	Because an attacker can embed newlines in either or both  of  these  CGI
	variable values, he can also effectively change  the  context  in  which
	the remaining (rightward) characters of either value appear to the  local
	mail server. Specifically, an attacker could set the value of the  email
	parameter to some string such as:
	

	     IGNORED\\nCc: user@somewhere.tld,...

	

	where \\n represents a  newline  character.  This  rather  simple  trick
	provides the attacker with access to a self-generated Cc:, Bcc:,  or  (secondary)
	To: header context which, once achieved, provides the attacker  with  an
	avenue to direct the local mail server  to  send  the  attached  message
	to some arbitrary set of e- mail  addresses,  in  addition  to  whatever
	address may have been specified (via the recipient  CGI  parameter)  for
	inclusion in the earlier To: header.
	

	As should be apparent from the Perl print statement shown above, this  same
	context shift (achievable via embedded newlines) may  also  and  equally
	be exploited via clever construction of a suit-  able  attacker-supplied
	value for  the  realname  CGI  parameter.  In  this  case  however,  the
	attacker would need to take care to also  escape  from  the  confines  of
	the paired parentheses that  the  script  will  supply  to  enclose  the
	realname value. Given that the  realname  parameter  value  will  appear
	in  the  mail  headers  sur-  rounded  by  a  pair  of  open  and  close
	parenthesis, the ``smuggling in\'\'  of  additional  recipient  addresses
	via the realname CGI parameter requires the  attacker  to  include  some
	strategically- placed parenthesis of his own in the value he  passes  to
	the vic- tim web server for the  realname  parameter.  For  example,  the
	value:
	

	     IGNORED)\\nCc: user@somewhere.tld\\nX-Ignore: (

	

	could be supplied by an attacker as the realname  CGI  parameter  value,
	thus closing  the  already-opened  SMTP  header  comment,  escaping  to,
	and creating a new (Cc:) e-mail header context  (which  is  then  filled
	with victim e-mail addresses), escaping again to another  new  e-mail  header
	context, and then finally sup- plying a open parenthesis  to  match  the
	closing one that will be supplied by the Perl print statement within  FormMail.
	

	Last but by no means least, it should be noted that  vulnerable  FormMail
	installations may be less than ideal as a vehicles for  distributing  e-mail
	messages, either unsolicited or otherwise,  due  to  FormMail\'s  rather
	inconvenient (for the spammers) habit of appending its own  unique  legend
	just ahead of the body text of any given  mail  message  that  it  forwards.
	FormMail always prepends a set of body text lines  having  the  following
	general form to each e-mail message it passes to the local mail server:
	

	  Below is the result of your feedback form.  It was submitted by

	  (sender address) on date/time stamp

	  ---------------------------------------------------------------

	

	This additional leading  body  text  would  appear  to  be  annoying  to
	spammers who would much prefer to have the text of their own mes-  sages
	appear at the very start of the  message  body  text.  (We  assume  that
	this spammer-annoying aspect of FormMail is one of the reasons,  if  not
	the primary reason that spammers have gener-  ally  shown  a  preference
	for using open mail relays, as opposed to  open  FormMail  scripts,  for
	sending their messages.)
	

	Unfortunately however, given that the email  and  realname  CGI  parameters
	of FormMail may contain embedded newlines, it  is  apparent  that  either
	of these parameters may be set, by an  attacker,  to  a  value  which  includes
	not only  additional  recipient  addresses,  but  also  additional  mail
	headers and additional ini- tial message body text  of  the  attacker\'s
	choosing.  For example, the email parameter could be set to:
	

	     \\nCc: user@somewhere.tld\\nSubject: $$$\\n\\nMAKE MONEY FAST!!!

	

	thus causing the text \"MAKE MONEY  FAST!!!\"  to  appear  in  the  out-
	going message as the very  first  line  of  the  message\'s  body  text.
	Furthermore, a value such as the one shown just above could  be  followed
	by arbitrarily many additional newline characters, thus pushing  the  FormMail
	supplied legend text far down below the attacker\'s desired subject  header
	and initial message text (and perhaps even entirely off  the  `front  page\'
	of what the messages recipient will see  when  he  first  looks  at  the
	received  message).
	

	This tactic may of course  be  applied  with  essentially  equal  effect
	to either the email or realname parameters, except that the  caveats  mentioned
	above concerning the balancing of parenthe- sis would apply in the  case
	of  manipulation  of  the  realname parameter.
	

	These possible tactics for ``hiding\'\'  the  otherwise  spammer-  annoying
	FormMail leading body text are not, unfortunately, the only  ones  possible.
	As  one  careful  early  reviewer  of  this  advi-   sory   noted,   the
	vulnerability which allows an attacker to include newlines in  the  email
	an/or realname CGI parameters might also open up an avenue  whereby  the
	FormMail-supplied leading body text could be  effectively  removed  from
	the view of a message recipient via the  careful  construction  of  MIME
	e-mail headers which achieve that  exact  effect.  (This  design  of  an
	exploit making use of this approach is  left  as  an  exercise  for  the
	reader.)
	

	

	Other Regular Expression Matching Issues
	

	We have noted above several ways of bypassing  FormMail\'s  attempts  to
	validate a client-supplied recipient string, where most of  these  methods
	rely on various obscure  and  not  widely  known  aspects  of  e-mail  address
	parsing rules. These are by no means the only ways to  circumvent  these
	recipient address validation checks however. These  checks  may  also  be
	bypassed via at least three different exploits relating  to  FormMail\'s
	use of regular expressions for e-mail  address  matching/validation.  These
	addi- tional exploit techniques are described below.
	

	The first regular  expression  exploit  we  present  offers  an  attacker
	an easy opportunity to get past FormMail\'s recipient  address  checking
	tests, although perhaps in a  way  that  will  be  quickly  detected  by
	an alert local administrator (of the  exploited  server).  Note  that  due
	to the flow-of-control logic used  within  FormMail,  an  attacker  must
	get past these tests at least once, or else no e-mail messages  will  be
	sent at all.
	

	Consider the case  where  the  local  FormMail  installer  provided  the
	following definition for the @recipients array:
	

	     @recipients = (\"^john\\@our-server.tld\");

	

	Given that the string enclosed within the double  quotation  marks  will
	in fact be used,  verbatim,  as  a  regular  expression  within  a  Perl
	regular  expression  match,  and  given   that   within   such   regular
	expressions,  each  period  character  actually  stands  for  a  single-
	character wild card character, an attacker could supply a value for  the
	recipient CGI parameter such as:
	

	     john@our-serverXtld

	

	In such a case, unless by some extremely remote  chance,  there  happens
	to be another server on the same  local  network  whose  non-  qualified
	node name is our-serverXtld, the mail message sent by the  attacker  through
	FormMail to the specified recipient address (and perhaps  also  to  some
	additional set of recipient addresses smuggled in  via  the  email  and/or
	realname CGI parameters) will almost certainly generate a  undeliverable
	bounce message for the non-existent john@our-serverXtld  address.  Where
	will this bounce message go?
	

	We would hope that the undeliverable bounce  message  would  be  directed
	to some responsible local administrator who would then  quickly  realize
	that the game is afoot, and that somebody some-  where  is  presently  attempting
	to exploit the locally-installed copy of FormMail, but in point of  fact
	this is unlikely to occur.
	

	What is clear is the the bounce message, by convention and  by  SMTP  standards,
	will be sent to the envelope sender address that  was  attached  to  the
	original e-mail  message  that  generated  the  bounce.  What  will  the
	original envelope sender address be?
	

	Because FormMail itself generated  the  original  message,  and  because
	FormMail itself was executed as a child process of the local web  server,
	the original envelope sender address will typi- cally be  whatever  local
	user-ID the local web server is run under, or rather, whatever local  user-ID
	it changes to  after  it starts up.
	

	For typical Apache installations, the account in question  is,  quite  often,
	the local nobody account. That account name is, in turn, quite  often  and
	quite typically aliased (in the local mail server\'s  aliases  file)  to
	/dev/null, in other words to the obliv- ion black hole.
	

	The implications here  should  be  apparent.  An  attacker  who  attempts
	to  exploit  FormMail  may  be  easily  able  to  escape  immedi-  ately
	detection by local administrators simply by  exploiting  FormMail\'s  inattention
	to the important detail that within the context  of  Perl  regular  expression
	matching,  periods  mean  some-  thing  other  than   literal   periods.
	Exploitation of this inatten- tion  to  detail  may  allow  an  attacker
	to ``pass\'\' FormMail\'s recipient address check in a very stealthy  fashion.
	Once the attacker has gotten past the recipient check,  at  least  once,
	then he may exploit the email  and/or  realname  vulnerabilities  of  FormMail
	(described above) to also direct copies of his mail mes- sage  to  other
	targeted e-mail addresses.
	

	Other, perhaps even more interesting variations on this theme  are  also
	possible, and are perhaps even more directly dangerous. A FormMail  installer
	who had defined his @recipients array to:
	

	     @recipients = (\"ourdomain.tld\");

	

	in order to allow FormMail to be employed to send mail to  any  user  of
	the ourdomain.tld domain might later  be  unpleasantly  sur-  prised  to
	begin receiving spam  complaints  from  somewhere.tld  users  when  some
	miscreant finally figures out that a recipient address such as:
	

	     user@somewhere.(ourdomain)tld

	

	passes  the  (right-anchored  only)  regular  expression  match  against
	ourdomain.tld with flying colors, only to subsequently have its  parenthesized
	portion treated as a (non-significant) comment by the local  RFC-conforming
	mail server.[14]
	

	Yet another aspect of the weakness of FormMail\'s  regular-expres-  sion
	based attempts to validate recipient address strings is its total  insensitivity
	to important lexical aspects of domain names themselves, in  particular,
	domain label boundaries.
	

	FormMail installers who have elected to use one  or  more  domain  names
	in their definition of the @recipients array may be dis- mayed to  learn
	that the lack of left-anchoring  in  FormMail\'s  reg-  ular  expression
	matching, together with FormMail\'s inattention to  the  importance  and
	significance of domain label boundaries may lead to  exploitation  of  a
	locally-installed FormMail, by outside spammers, to spam users in  other
	domains whose own domain names have right-anchored substrings which  just
	happen to exactly match the local domain  name,  even  though  there  is
	otherwise no rela- tionship between those other domains and the local  domain.
	

	For example, the following @recipients array definition:
	

	     @recipients = (\"x.biz\");

	

	clearly allows the local FormMail script which  contains  it  to  direct
	FormMail-generated  e-mail  messages  to  various  users  having  e-mail
	addresses directly within the x.biz domain. However  what  may  be  less
	clear is that it also allows FormMail-generated mes- sages to  be  directed
	to  persons  having  e-mail   addresses   within,   for   example,   the
	department-y.x.biz domain. More troubling is that it  also  allows  FormMail-generated
	messages to be directed to any  person  having  an  account  in  the  (clearly
	unrelated)  generation-x.biz  domain.  This   problem   arises   because
	FormMail is not astute enough to understand that, for  example,  the  domain
	name generation.x.biz is related to the x.biz domain  while  the  domain
	name generation-x.biz is entirely unrelated. Thus,  an  instance  of  FormMail
	installed on a web server belonging to x.biz could potentially  be  used
	to spam users in  the  generation-x.biz domain.
	

	Lastly, as  we  noted  earlier,  one  method  of  circumventing  FormMail\'s
	attempt  to  validate  the  recipient  CGI  parameter  against  elements
	of  the  installer-supplied  @recipients  array   is   to   simply   use
	alternative case for the user ID portion  of  the  client-supplied  recipient
	e-mail address. At the very least, this might allow an attacker  to  use
	FormMail to send  an  e-mail  message  to,  for  example,  a  user  whose
	e-mail address is JOHN@localhost.tld  even  though  the  installer  only
	intended to allow FormMail messages to  go  to  the  user  whose  e-mail
	address is john@localhost.tld.[12]
	

	This fact alone may be properly  viewed  as  being  essentially  insignificant.
	At worst, the case  insensitivity  of  the  FormMail  recipient  address
	checks would seem to allow misdirection of  FormMail  messages  to  different
	(and unintended) users of the same target recipient  system  where  some
	other valid and authorized FormMail message recipient also has  an  account.
	

	Recall however that the logic of FormMail demands that at least  one  of
	the comma-separated substrings  of  the  client-supplied  recipient  CGI
	parameter value must in fact `pass\' the  recipient  address  validation
	check. Otherwise no e-mail message  will  be  sent,  regardless  of  whatever
	other  clever  manipulations  an attacker might have undertaken.
	

	Exploitation of the case-insensitivity of the recipient address  checking
	code may provide yet another means for an attacker to pass the  recipient
	address check, at least once, thus insuring that his desired  e-mail  message
	will in fact be sent by FormMail. Furthermore, it may allow the  recipient
	address check to be bypassed even as it  also  allows  the  attacker  to
	avoid immediate detection of his activities, either  by  any  authorized
	FormMail message recipient or by any local administrator.
	

	For example, let us suppose that the @recipients array was previ-  ously
	defined by the installer as follows:
	

	     @recipients = (\"^john\\@our-server.tld\");

	

	Based on the  other  vulnerabilities  noted  above,  an  attacker  could
	easily spoof his way past the HTTP_REFERER check and he  could  then  provide
	some clever values for either the email CGI parame- ter or  the  realname
	CGI parameter, or both. Those values could induce  FormMail  to  send  a
	desired e-mail message to some  addi-  tional  e-mail  recipient  addresses,
	above and  beyond  whatever  address  may  have  been  provided  by  the
	attacker as the client-sup- plied recipient  CGI  parameter  value.  But
	even if he  does  all  this,  the  attacker  must  still  get  past  the
	script\'s checks on the recipient value, at least once, in order  to  induce
	FormMail to send any e-mail messages at all.
	

	To get past the checks on the validity  of  the  recipient  CGI  parameter,
	the attacker might set this parameter to the  value  JOHN@our-server.tld.
	This would cause the recipient check to pass, once,  and  that  in  turn
	would enable the script to continue further in  its  processing  of  the
	HTTP request, whereupon  any  of  the  several  other  FormMail  vulnerabilities
	could then be exploited. In such a case however, the  local  mail  server
	would also attempt to send a copy of the attacker\'s message to  the  e-
	mail address JOHN@our-server.tld.  What then?
	

	In the most common case, i.e. where our-server.tld is in fact the  local
	domain, and where the mail server providing mail service for  the  local
	domain is either Sendmail or Postfix, the attacker  will  typically  not
	be able to  hide  his  activities  via  this  sort  of  case-sensitivity
	exploitation because the local mail server (- Sendmail or Postfix)  will
	actually treat the user ID portion  of  a  local  e-mail  address  in  a
	case-insensitive manner. Thus, even if the attacker tricks  the  FormMail
	script into attempting to send an e-mail message to  JOHN@our-server.tld
	that message will still be delivered to the john@our-server.tld  mailbox.
	The local john user will thus be alerted that the local FormMail  script
	is being used, and possibly abused, and quick remedial action  may  then
	be taken to halt further abuse.
	

	If however the specific mail server that provides mail  service  for  the
	our-server.tld domain  treats  local  user  IDs  in  a  case-  sensitive
	manner, then the user  ID  john  may  exist,  and  may  accept  incoming
	e-mail, even though the user ID JOHN does not exist and does not  accept
	e-mail.
	

	In this case, any message sent to the JOHN@our-server.tld  account  will
	bounce as undeliverable.  Where will it bounce to?
	

	As noted previously, the  message  should  be,  and  typically  will  be
	bounced back (along  with  an  undeliverable  notice)  to  its  envelope
	sender address. And as was also previously noted,  the  envelope  sender
	address will almost invariably be the local user  ID  under  which  both
	the local web server and any CGIs that it  invokes  run.  That  account,
	quite often, is the local nobody account, and e- mail for the  local  nobody
	account is, as often as not, aliased to /dev/null. Thus,  if  the  attacker
	arranges to ``pass\'\' the FormMail  recipient  address  validation  test
	by changing the case of the user ID portion  of  some  known  authorized
	recipient e-mail  address,  and  if  the  alternatively-cased  recipient
	address is itself undeliverable, then this may represent an  opportunity
	for the attacker. Specifically, it may allow the attacker to  trick  FormMail
	into believing that it has received at least one valid  recipient  address
	even though the message sent to that address will first  be  bounced  as
	undeliverable  and  then,  subsequently,  will  disappear,  quietly  and
	conveniently, down a black hole, without alerting  any  local  end-users
	or any local administrators on the exploited  system  that  exploitation
	is occurring.
	

	It should additionally be noted that even in cases where the web  server
	itself is run under some account other  than  the  nobody  account,  the
	account that the web server is in fact run under will  often  and  typically
	be one for which incoming e-mail  messages,  including  bounces,  are  dumped
	into a black hole. Fur- thermore, even for web server execution  accounts
	that are not aliased to /dev/null, local administrators may  not  be  expecting
	any incoming e-mail for the web  server  execution  account,  and  thus,
	any e-mail that does arrive for that account may  be  moni-  tored  only
	rarely or perhaps never. Such a situation is exactly  what  an  attacker
	wishing  to  escape immediate detection would desire.
	

	In summary, it may safely be said that the case insensitivity of the  FormMail
	recipient address checking code may open up addi-  tional  possibilities
	for quietly covering up abuse and exploita- tion of the  other  FormMail
	security flaws detailed herein.[13]
	

	

	Mail-Bombing by Proxy Using FormMail

	

	Although  exploitation  of  installed  FormMail  scripts  for   spamming
	purposes is far and away the most likely scenario involving mis- use  and
	abuse of FormMail, a desire for completeness compels  us  to  note  some
	additional ways in which typical FormMail installa- tions may be  abused
	to cause harm or annoyance to others, even if only indirectly.
	

	In general, any Internet miscreant may easily flood any Internet  e-mail
	account of his choosing by simply sending a flood of e- mail messages  directly
	to that target account. This direct approach  is  however  known  to  be
	a good way to have  one\'s  outbound  e-mailing  privileges  revoked  in
	short order.
	

	Being aware of this fact, many Internet miscreants bent on per-  forming
	an act of mail bombing against a given target e-mail  account  will  instead
	elect to do so only indirectly, employing  some  intermediary  agent  or
	system that can be  induced  to  send  e-  mail  messages  to  arbitrary
	attacker-specified e-mail addresses. To the extent that  the  intermediary
	prevents the final victim of the mail bombing from easily  learning  the
	identity and/or IP address of the mail bomb originator it  will  be  seen
	as a poten- tially useful tool for a stealth mail bomb attack.[15]
	

	Given these facts, together with the multiple FormMail vulnera-  bilities
	described above, it  should  be  immediately  seen  that  any  installed
	instance of the FormMail script may be  employed,  in  various  ways,  as
	part of a stealth mail bombing attack directed  against  an  arbitrarily
	selected target e-mail address.
	

	It has certainly been shown above that FormMail may be induced  to  send
	arbitrary messages to arbitrary target addresses in a way which  prevents
	the final recipient from being able to  easily  determine  the  IP  address
	of the actual message originator. This  fact  alone  could  provide  the
	basis for  a  stealth  mail  bombing  attack.  Additional  possibilities
	for  such attacks, involving FormMail, may also exist however.
	

	For example, if FormMail is being  employed  on  a  given  web  site  in
	conjunction with an e-mail auto-responder of some kind, then it  may  be
	possible for an attacker to repeatedly  invoke  FormMail  while  setting
	the email CGI parameter to the e-mail address of his intended victim.  The
	victim in this case will receive  a  flood  of  ``auto-responses\'\'  for
	messages that he himself did not  originate,  and  these  auto-responses
	may (and quite often will) contain no indication of the  IP  address  that
	originated   whatever   message   or   messages   have   triggered   the
	auto-responder to send a response message. Note also that even for  a  relatively
	``smart\'\' auto-responder that makes it a point to  attach  the  e-mail
	headers of each original triggering e-mail message to each of the  auto-
	response messages it generates, the trace information provided  by  such
	headers will lead back only as far as the web server on the system  that
	hosts the FormMail script. That information will of  course  be  insufficient
	to determine the IP address used by the actual instigator  of  the  mail
	bomb.
	

	Because of the above scenario, it is strongly recommended  that  FormMail
	never be intentionally employed in conjunction with any kind  of  e-mail
	auto-responder.
	

	

	

	------------------------------------------------------------   [1]   The
	canonical reference for the original `FormMail spamming\' advisory is:
	

	     http://www.securityfocus.com/archive/1/168177

	

	Note that even earlier, reports had surfaced regarding FormMail and  environment
	variable information leakage:
	

	     http://packetstorm.decepticons.org/advisories/blackwatchlabs/BWL-00-06.txt

	     http://www.securityfocus.com/bid/1187

	

	and a fix was developed for this problem:
	

	     http://www.securityfocus.com/archive/1/62033

	

	A remote command execution vulnerability was also reported  (Aug,  1995)
	for the 1.0 version of FormMail:
	

	     http://www.securityfocus.com/bid/2079

	

	[2] The original report of possible widespread scanning of the  net  for
	vulnerable FormMail scripts may be found at:
	

	     http://www.extremetech.com/article/0,3396,s%253D25124%2526a%253D18236,00.asp#story4

	

	[3] The home page for one allegedly ``fixed\'\' version of FormMail  may
	be found at:
	

	        http://www.mailvalley.com/formmail/

	

	An  entirely  separate ``fixed\'\' version of FormMail may be found at:
	

	     http://nms-cgi.sourceforge.net

	

	Unfortunately, neither of these security-enhanced  versions  of  FormMail
	address all of the security issues raised herein.
	

	[4] Inexplicably, even though versions of FormMail prior to 1.9 are  known
	to be exploitable (as what amounts to anonymizing open mail  relays)  the
	author of this script continues to distribute several  of  his  earlier,
	insecure versions of the script (for use with/on various versions of  MS
	Windows) via his  web  site  and  the  FormMail  home  page.  This  will
	naturally tend to contribute to a worsening of  the  existing  global  problem
	of insecure FormMail installations, over time.
	

	[5] We use the term anonymized herein to indicate that  the  IP  address
	of the actual message origination point will not be pre- sent in any  of
	the e-mail Received: headers contained in the mes- sage  themselves.  This
	lack of tracing information makes it essentially impossible for  a  message
	recipient to determine the actual origination  point,  at  least  not  without
	the aid of the administrator of the server that hosts the FormMail  script
	and not  without a careful search of log files by that administrator.
	

	[6] The lynx web browser provides the  -noreferer  command  line  option
	to achieve this exact effect.
	

	[7] Javascript, in particular, implements a  submit()  built-in  primitive
	that can be used to simplify attacks on web CGIs. The authors  have  found
	no way to induce Javascript\'s submit()  primi-  tive  to  suppress  the
	inclusion of a Referer: header in the HTTP request generated by  a  call
	to submit() however.
	

	[8] There are, of course, other ways to cause  typical  web  servers  to
	ignore some rightward part of a complete URL.  The  forward  slash  character
	(`/\') can also be used to achieve the same effect when the  portion  of
	the URL to the right of the relevant forward slash can be located  by  the
	relevant web servers and when it is an ordinary file (as  opposed  to  a
	directory).
	

	[9] There are, of course, other ways by which one could arrange  for  Referer:
	HTTP headers to be suppressed, the most obvious of which is to make  use
	of any of the  Internet\'s  many  anonymizing HTTP proxy servers.
	

	[10] One of the  authors  of  this  advisory  (Guilmette)  is  currently
	maintaining a list of the IP addresses of such sites  for  spam  blocking
	purposes.
	

	[11] Please see:
	

	     http://web.nps.navy.mil/~miller/percent-hack.html

	

	for a brief description of the traditional (if non-standard)  per-  cent
	hack e-mail addressing notation.
	

	[12] Of course, different operating systems have different con-  ventions
	and  practices  with  regards  to  the  case  sensitivity...   or   lack
	thereof... of local user IDs. It should be  noted  however  that  FormMail
	is most frequently installed on UNIX  or  UNIX-like  systems,  and  that
	these systems do, in virtually all cases, treat local user  IDs  as  being
	case sensitive, thus allowing for the possibility that there might be  a
	user whose ID is john and also another user whose ID is  JOHN,  both  on
	the same single system.
	

	[13] Webmasters may also wish to reconsider the advisability of  running
	web servers under accounts whose  incoming  e-mail  is  either  sent  to
	/dev/null or ignored. It may actually be wiser to  select  some  account
	other than the nobody account to  run  a  web  server  under,  and  then
	to alias that other account to root or some  other  frequently-monitored
	local administrator address. The nobody account should more probably  be
	preserved as an effective e-mail alias for  /dev/null  however,  as  there
	are certainly instances in which you really don\'t want any  bounces,  no
	matter what.
	

	[14] See RFC 2822, especially its discussion  of  parenthesized  comments
	and e-mail address syntax.
	

	[15] An indirect mail bomb attack against a given e-mail address may  be
	easily undertaken simply by sending a large number of e-  mail  messages
	to some non-existent and/or otherwise undeliverable  e-mail  address  on
	some specific third-party intermediary system with the  envelope  sender
	(i.e. bounce back) e-mail address set  to  the  e-mail  address  of  the
	intended victim. Such an indirect mail bombing  via  bounces  attack  is
	not at all stealthy however, because in the vast majority of  cases  the
	attacker\'s IP address will be shown clearly  in  the  Received:  headers
	of the messages that triggered the  bounces,  and  these  in  turn  will
	typically be included in the  bounce  messages  received  by  the  final
	victim.

SOLUTION

	A revised version of FormMail 1.9 (which I am  calling  1.9s)  which  is
	believed to be free of any and all of the security  flaws  described  in
	the advisory below is now available at:
	

	ftp://ftp.monkeys.com/pub/formmail/1.9s/

	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH