Submitted by : Simon Michael at: 2006-03-14T12:55:57+00:00 (11 years ago)
Name :
Category : Severity : Status :
Optional subject :  
Optional comment :


comments:

(new) comment form vulnerability --Simon Michael, Tue, 14 Mar 2006 12:56:00 -0800 reply
Bob McElrath? wrote:

Yesterday my wiki was hijacked for spam. It appears that the spammer used the comment form and a POST request on one of my pages to add content, which then got sent via mailin. The spammer included a full email header in his comment, including a BCC field, which then sendmail tried to deliver to thousands of @aol.com addresses (since zwiki's mailin is a legitimate sender on my machine).

Any suggestions how to fix this?

-- forwarded from http://zwiki.org/GeneralDiscussion#msg20060314164429.GA11322@mcelrath.org

Ugh. Being able to add arbitrary recipients in the comment body is bad, I wouldn't have expected that to work. See Editing.py -> comment(), around m.set_payload(text). Perhaps if you add a blank Bcc there - or make sure there is a blank line to terminate headers - or scan and clean up the text. Also see 0.51's edits_need_username property for more casual spammers.

spam --Bob McElrath?, Tue, 14 Mar 2006 14:27:35 -0800 reply
I placed a copy of the vandalized page text here: http://bob.mcelrath.org/Problems.spam.txt

spam --Bob McElrath?, Tue, 14 Mar 2006 14:34:16 -0800 reply
It appears that the headers, and entire contents of the message were placed in the "subject_heading" field of the web form, and if that contains a newline, it will end up in the message header. Note the zwiki-added Message-ID and In-Reply-To at the end of the spam body.

So, this can probably be fixed by not allowing the subject_heading to be more than 1 line.

spam --Simon Michael, Tue, 14 Mar 2006 15:26:59 -0800 reply
Aaah.. the wretches! Thanks.

I'm concerned about all the other pre-0.52, mail-enabled, public-commentable zwikis already out there. Oh well, I guess they aren't so numerous as all that. An incentive to upgrade.

(property change) --simon, Tue, 14 Mar 2006 23:20:14 -0800 reply
Category: => user-mail Severity: => serious Status: => open

Sanitize user input in mail headers --betabug, Mon, 12 Feb 2007 06:40:57 -0800 reply
We will have to sanitize any user inputs that might end up in the mail headers. At first glimpse this looks to be only:

...but really anything in sendMailTo() in Mail.py will reward a closer look. I'm trying to find the time to look into it.

My idea is to do the checking in or as close to sendMailTo() as possible, in order to catch mail sent from all kind of forms.

For the two mentioned, the following patch should do some basic sanitation:

  *** Mail.py_orig        Mon Feb 12 15:53:22 2007
  --- Mail.py     Mon Feb 12 16:37:30 2007
  ***************
  *** 503,509 ****
            address = (self.fromProperty() or
                       #self.usersEmailAddress() or
                       self.replyToProperty())
  !         realname = self.usernameFrom(REQUEST,ip_address=0) or _('anonymous')
            return '%s (%s)' % (address, realname)

        def replyToHeader(self):
  --- 503,510 ----
            address = (self.fromProperty() or
                       #self.usersEmailAddress() or
                       self.replyToProperty())
  !         realname = self.usernameFrom(REQUEST,ip_address=0).splitlines()[0] or _('anonymous')
  !         # splitlines to fend off header injection attacks from spammers
            return '%s (%s)' % (address, realname)

        def replyToHeader(self):
  ***************
  *** 766,772 ****
               self.bccHeader(recipients),
               self.subjectHeader(subject,subjectSuffix),
               msgid,
  !            (in_reply_to and '\nIn-reply-to: %s' % in_reply_to) or '',
               self.zwiki_version(),
               self.xBeenThereHeader(),
               self.listIdHeader(),
  --- 767,774 ----
               self.bccHeader(recipients),
               self.subjectHeader(subject,subjectSuffix),
               msgid,
  !            (in_reply_to and '\nIn-reply-to: %s' % in_reply_to.splitlines()[0]) or '',
  !            # splitlines to fend off header injection spam attacks
               self.zwiki_version(),
               self.xBeenThereHeader(),
               self.listIdHeader(),

in darcs --simon, Tue, 13 Feb 2007 12:09:57 -0800 reply
Thanks very much, patch applied in the main repo. Please test and close or leave open as seems appropriate.

resolved ? --simon, Sun, 25 Mar 2007 02:03:48 +0000 reply
Status: open => closed

resolved ? let's close it for now --betabug, Sun, 25 Mar 2007 18:39:23 +0000 reply
Let's close it for now, and keep on having an open eye for security and spam related loopholes.