[Oscailt] Re: [Imc-ireland-tech] argh, spamgateway
chekov at indymedia.ie
Sat Dec 3 06:10:10 PST 2005
> I sent this message to the list, but it probably got stopped by the
> spam filter, so i have removed the quoted spam below. note that the
> message itself is being sent as $email, it's between the ( mailto: ).
> I'm not sure how this is working to cause the bcc header to be read by
> the mta.
> Contact.php is a spam gateway.
> I just got hit by it.
> $_REQUEST['email'] being passed without checks to mail() seems to allow
> the attacker to add headers (in this case bcc:) to the email.
> a disaster.
> Will post a fix, but i'm up to my eyes, hope someone else can look at
> it, just a simple referrer check would suffice i imagine,
> This is the message that was POSTed
Nice one for spotting this. Indymedia Ireland has been getting hit by
this as well.
I've inserted a fix into the oscailt code (back ported from 3.0) on
indymedia ireland, it checks to make sure that the email address entered
is vaguely similar to a valid email address or refuses posting. It can
be added at the end of the contact.php replacing the existing text from
if($_REQUEST['send_message']!=null) onwards. We should send around a
patch once we're sure that this solves the problem.
I reckon that the exploit involves a remote hacker sending a request
with an embedded, encoded newline in the email field and a list of bcc:
addresses following it. I'm not sure if it worked though, but the
update should fix it.
if (empty($addy)) return false;
if(strlen(trim($_REQUEST['name']))==0) writeError("You must
specify your name!");
else if(strlen(trim($_REQUEST['email']))==0) writeError("You
must specify your email address!");
else if(strlen(trim($_REQUEST['subject']))==0) writeError("You
must specify the subject!");
writeError("You must provide a valid email address. " .
htmlspecialpecialchars($_REQUEST['email'], ENT_QUOTES)." is not a valid
else if(strlen(trim($_REQUEST['message']))==0) writeError("You
must include a message!");
$subject = str_replace("\n", " ", $_REQUEST['subject']);
$name = str_replace("\n", " ", $_REQUEST['name']);
?><BR><BR><center><big><B>Your message has been
More information about the Oscailt