How to tell if cgiemail script can be exploited

software development

#1

I’m wondering if the cgiemail script I put up on a site can be exploited.

Is there any way to tell by looking at stats in my web panel?


#2

Unfortunately, the stats provided by the web panel are not likely to be too useful for this purpose, as they just don’t provide enough information from your logs.

That said, a particularly high number of requests for your form, or the “mailing” component/function of your CGI script, and the IP’s associated with those requests may be indicative of attempted exploits - you just won’t be able to tell from the stats if they were successful, or exactly how the exploit was attempted.

For this purpose, looking at your raw log files is a better way to go, as you can see the activity in more detail, such as the timing of IP’s visits, the “pattern” in which they surf your pages, and often query strings being passed as part of the request.

If your script is actually being exploited, you will most likely know about it soon enough - the backscatter should start to show up in your inbox and, depending upon how badly the script is compromised, you can expect DH to be shutting down your mail services for potential spamming pending your contacting DH support and taking the steps that are necessary to eliminate the exposure.

The best way to evaluate whether or not a particular script is “exploitable”, is a careful inspection of the script by a programmer that understands the security ramifications involved. If you are using a commonly available script, a google search for exploits will often reveal security advisories that are relevant to the script. You could also discuss here the script you are using, and take advantage of the community “brain pool” to help evaluate the security of your script and/or suggest other more secure alternatives if necessary :wink:

–rlparker


#3

[quote]The best way to evaluate whether or not a particular script is “exploitable”, is a careful inspection of the script by a programmer that

[/quote]

Publish it, and they will come. Put a form out there, maybe on a throw-away subdomain, help searchers find it, and you’ll find out soon enough if it can be exploited. As already said, you may get your site disabled for a while. :slight_smile: And they probably won’t explain how they did it.

tor.eff.org


#4

Is it a 3rd party script or did you write it? If it’s 3rd party, you could try a Google search for the script name +exploit and see if anything comes up.

If you wrote it, at least make sure you covered the basics like checking input, setting the content-type, checking for injection [Google] [Wikipedia], etc…

If you’re using the PHP mail function, you can pick up some tips in the user comments at the PHP site.


:stuck_out_tongue: Save up to $96 at Dreamhost with ALMOST97 promo code (I get $1).
Or save $97 with THEFULL97.


#5

The script is that old MIT CGIemail script, the one that uses a separate template text file to format the message and determine the recipient.

I did read that it’s more secure to keep variables out of the header area of the template, thus reducing the ability of a spammer to insert linebreaks that might fool the script into allowing additional recipient addresses to be specified in a bogus Bcc: header.

I stopped using the DreamHost formmail script since I was getting spammed like crazy.


#6

I’m not familiar with that script, so I can’t authoritatively comment on how robust it is.

I’ve had good luck with the NMS-formail.cgi (mentioned in a prior thread in which you participated), as it has an “alias” feature that masks your recipient email address.

–rlparker