Re: cfmail - is it vulnerable?
Andy Matthews wrote: >>Perhaps I'll have to start replacing out any instances of "Content-Type" >>in any email form fields :( > > > That's what I ended up having to do. I got about 20 or so emails that had > gotten through like that and analyzed them for common themes. I found > several that could be bad and checked for them. Here's some code if you're > interested: I've got a guestbook on a site I built for bob guiney that I get probably 5-10 messages a day that are either outright spam or hack attempts. Luckily it's a moderated guestbook so none of that stuff gets published but eventually I added some code to just prevent people from trying to post guestbook entries with "http" in them. I should probably add "content-type" to that. I get awfully tired of disapproving guestbook entries that look like this: "Hi! Great site! I learned something! online casino pharaceutical blah blah blah" ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:232913 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
RE: cfmail - is it vulnerable?
> Perhaps I'll have to start replacing out any instances of "Content-Type" > in any email form fields :( That's what I ended up having to do. I got about 20 or so emails that had gotten through like that and analyzed them for common themes. I found several that could be bad and checked for them. Here's some code if you're interested: -Original Message- From: Ian Buzer [mailto:[EMAIL PROTECTED] Sent: Sunday, February 19, 2006 2:18 AM To: CF-Talk Subject: cfmail - is it vulnerable? Hello, Just got a bunch of emails in my inbox this morning that had been sent from a contact form on one of my web sites. ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:232912 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Re: cfmail - is it vulnerable?
Ian Buzer wrote: > > It looks like someone's trying to test to see if the form is vulnerable to > having headers injected into it. In fact, on one of the attempts, he did > manage to override the subject of the email. > > Does anyone know if cfmail is vulnerable to this kind of thing? Not to this specific one, but you do keep up with your patched, don't you? http://www.macromedia.com/devnet/security/security_zone/mpsb05-14.html Jochem ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:232861 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
RE: cfmail - is it vulnerable?
It is not vulnerable - except that you will get these annoying probes from time to time :) I have a blog on this top with lots of additional insight in the comments at the bottom. http://mkruger.cfwebtools.com/index.cfm?mode=alias&alias=email%20injection This follow up references a function for handling the injections. http://mkruger.cfwebtools.com/index.cfm/2006/2/5/email.injection.function -Mark -Original Message- From: Ian Buzer [mailto:[EMAIL PROTECTED] Sent: Sunday, February 19, 2006 2:18 AM To: CF-Talk Subject: cfmail - is it vulnerable? Hello, Just got a bunch of emails in my inbox this morning that had been sent from a contact form on one of my web sites. They all contained content a bit like this: deeper xxContent-Type: multipart/alternative; boundary=e00c35d22e0dba33a15957f33286efe8 MIME-Version: 1.0 Subject: idee is that a bcc: [EMAIL PROTECTED] This is a multi-part message in MIME format. --e00c35d22e0dba33a15957f33286efe8 xxContent-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit v coorse, he thinks marredge is goin to change --e00c35d22e0dba33a15957f33286efe8-- It looks like someone's trying to test to see if the form is vulnerable to having headers injected into it. In fact, on one of the attempts, he did manage to override the subject of the email. Does anyone know if cfmail is vulnerable to this kind of thing? It looks like it might be. What's the best way of preventing it? Perhaps I'll have to start replacing out any instances of "Content-Type" in any email form fields :( Ian ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:232858 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
cfmail - is it vulnerable?
Hello, Just got a bunch of emails in my inbox this morning that had been sent from a contact form on one of my web sites. They all contained content a bit like this: deeper xxContent-Type: multipart/alternative; boundary=e00c35d22e0dba33a15957f33286efe8 MIME-Version: 1.0 Subject: idee is that a bcc: [EMAIL PROTECTED] This is a multi-part message in MIME format. --e00c35d22e0dba33a15957f33286efe8 xxContent-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit v coorse, he thinks marredge is goin to change --e00c35d22e0dba33a15957f33286efe8-- ... It looks like someone's trying to test to see if the form is vulnerable to having headers injected into it. In fact, on one of the attempts, he did manage to override the subject of the email. Does anyone know if cfmail is vulnerable to this kind of thing? It looks like it might be. What's the best way of preventing it? Perhaps I'll have to start replacing out any instances of "Content-Type" in any email form fields :( Ian ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:232830 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54