alt Hacker NewsWorking for an ISP in the mid 00s, the lack of security of those scripts was an absolute nightmare. It was a routine task to have to go clean up the mess they made, everything from simple "Being used to relay spam" on up.
Working for an ISP in the mid 00s, the lack of security of those scripts was an absolute nightmare. It was a routine task to have to go clean up the mess they made, everything from simple "Being used to relay spam" on up.
About once a week: "Why is our outbound bandwidth saturated? Oh, look! A new FormMail exploit!"
I think my all-time favorite was an SMTP injection. I don't remember the exact details, but it was pretty close to this:
* The script accepted a form POST and decoded it.
* It opened a pipe to sendmail.
* It wrote the expected SMTP headers to sendmail's stdin.
* Then it wrote the decoded POST body as-is into sendmail's stdin.
Thing is, that method used in-band signaling. This is the part I forget exactly, but you could send in the POST body:
That period on a line of its own, followed by two newlines, told sendmail "this message is done. Now listen for the next command." Then it sent the new SMTP headers with whatever damage the attacker wanted to do, and sendmail would obediently process it as though that were the original message.We learned that one the fun way.