Textpattern CMS

#1 2005-12-07 17:59:34

arpan

Member

Registered: 2004-12-02

Posts: 25

form mail exploit

Recently I received two very similar e-mails from two web hosting providers (Lunar pages & Silicon House) about form mail exploits.

I’m not sure what kind of exploit they are talking about. I use Zem Contact on 4 of my websites. Would Zem contact be considered secure?

Would appreciate any information you might have.
Thanks
Arpan

+++++++++++++

Hello,

The following security alert is for anyone who uses a form mail script on their web site. Form mail scripts are generally used to allow browsers to submit an email from your website. This may include feedback forms or contact forms. If you do not have any such feature on your site, you may disregard this notice.

Recently we have seen a lot of exploit (hacker) activity on PHP and CGI form mail scripts. The majority of exploited scripts are hand coded form mail scripts. The exploits will use the form mail to automatically send spam from the account. (An “exploit” is a term used for a piece of code written by a malicious person to abuse a customer’s account. This is not a server vulnerability but an issue specific to the coding found in particular scripts.) The result of this is that we will receive spam warnings from AOL, Spamcop and other reporting agencies. If we receive too many complaints, our servers are at risk of being black listed which will affect email on all servers.

It is very important to check your scripts to ensure they are secure. At this time, the only form mail script we are recommending is the one found here: http://nms-cgi.sourceforge.net/scripts.shtml. If you are using a hand coded form mail script, it is highly recommended that you change to the NMS form mail script.

Regardless of which form mail script you use, it is very important you name it something random. Please DO NOT USE the following words when naming your form mail scripts: form, mail, contact or feedback. People exploiting these forms search for these commonly used words on search engines to more easily identify vulnerable scripts.

We are currently scanning all servers to find scripts using those names as well as replying to all spam complaints. If a script is found that was exploited or has the potential to be exploited, the script will be renamed. This may cause your script to stop functioning so it is imperative you change your naming as soon as possible.

We apologize for the inconvenience but it is necessary to take swift action in order to preserve the integrity of the servers so email is not disrupted for anyone. If you have any questions or concerns, please contact support@lunarpages.com. Please also see the following Lunarforums link: http://www.lunarforums.com/forum/index.php?topic=29507.0.

Thank you,
Lunarpages Support

#2 2005-12-08 14:58:36

ubernostrum

Member

From: Lawrence, KS

Registered: 2004-05-05

Posts: 238

Website

Re: form mail exploit

zem_contact is fine.

---

You cooin’ with my bird?

#3 2005-12-08 16:29:34

ramanan

Plugin Author

From: Toronto

Registered: 2004-03-12

Posts: 323

Website

Re: form mail exploit

I’d trust zem_contact to perform brain surgery. I think you’re safe.

#4 2005-12-08 18:02:10

arpan

Member

Registered: 2004-12-02

Posts: 25

Re: form mail exploit

Thanks. I thought it would be fine, just wanted to make sure.

At first, I thought that they were saying that I had an insecure form, but then I realized that it was just a general warning.

Anyway, any idea what exactly they are talking about. I’m assuming that they are talking about forms that send an e-mail for e-mail ID confirmation to the person who fills in the form. Am I right, or is this about something else.

Thanks

#5 2005-12-09 01:18:01

Infi

Member

Registered: 2005-05-28

Posts: 75

Re: form mail exploit

I believe it’s in reference (mainly) to the ancient CGI formmail script of Matt’s Script Archive fame. Hole-y as a sieve, but still in ubiquitous use. I’ve received a few of these notices from a host provider that actually offers the script as part of its CGI “library” – rewritten, but I still wouldn’t use it.

#6 2005-12-09 08:34:24

Sencer

Archived Developer

From: cgn, de

Registered: 2004-03-23

Posts: 1,803

Website

Re: form mail exploit

Take a peek at this discussion:

http://forum.textdrive.com/viewtopic.php?id=5694

The problem is, that many people who write such form-mailers either overlook, or don’t know how to (or even that they need to) sanitize user-input. And then it can be used to send mails to wherever with whatever content and headers.

#7 2005-12-09 23:53:59

zem

Developer Emeritus

From: Melbourne, Australia

Registered: 2004-04-08

Posts: 2,579

Re: form mail exploit

Almost every formmail style script I’ve seen is vulnerable to at least one form of exploit. (This seems to be a popular subject for a first script, or for a “quick lesson in PHP”, when in fact it’s quite difficult to get right, even for an experienced developer). Most of the top 10 results in a google search for “php email contact form” are easily exploitable.

A while back a bunch of spammers used a flaw in MT’s comment email function to trick it into sending spam. Since we like to be proactive in checking for vulnerabilities in txp, I audited Textpattern and zem_contact looking for similar problems. Textpattern had a flaw, which we promptly fixed (before anyone learned of it); zem_contact was already secure.

That’s not to say they’re perfectly safe to all possible exploits; but they don’t have the usual vulnerabilities.

---

Alex