[nycphp-talk] worm/virus's hammering feedback scripts?
Daniel Convissor
danielc at analysisandsolutions.com
Mon Sep 12 12:20:18 EDT 2005
Hey Folks:
On Mon, Sep 12, 2005 at 11:16:18AM -0400, Rolan Yang wrote:
> Detection and Solution:
> The current bot-net probe is known to send its reply to one of several
> known email addresses on the following list.
A list of addresses is the wrong approach. The email addresses are
variable and easy to change. More importantly, the content is the issue,
not the email address.
> Vulnerable scripts should be modified to properly filter input fields.
> Ken Robinson has posted a
> php example at:
> http://lists.nyphp.org/pipermail/talk/2005-September/016124.html
That solution is less than perfect. First, it's case sensitive, so misses
things like "BcC", meaning str_ireplace() would be better. Second, it
catches things that don't need to be.
The mere existence of "content-type" or "bcc" in the inputs isn't a
problem. The danger is having those at the beginning of a line and only
in fields that get put into the email headers. So, this vulnerability can
be solved by removing white space characters other than regular spaces
from any field going into the email headers. Or better yet, only allowing
letters, numbers, spaces and a few punctuation type characters.
Non Issue:
$var = "Content-type: crack";
$subject = "Subject: $var";
Real Issue:
$var = "You're about to be cracked\r\nContent-type: crack";
$subject = "Subject: $var";
--Dan
--
T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y
data intensive web and database programming
http://www.AnalysisAndSolutions.com/
4015 7th Ave #4, Brooklyn NY 11232 v: 718-854-0335 f: 718-854-0409
More information about the talk
mailing list