topic Serious apache formscript security problem in Operating System - HP-UX

Serious apache formscript security problem

Steven E. Protter — Fri, 23 Jan 2004 10:13:16 GMT

The following threads were triggered by this flaw and should be read to understand what is going on:

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=333766

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=358250

The sendmail holes have been closed and HP has issues a security bulliten concerning sendmail.

I think this may be an apache issue.

What happens is a spammer finds the location of a cgi formscript(i will attach one).

By running this script directly(it must be rx other to run on web pages) a spammer is able to trick the sendmail server into relaying mail because the mail appears to be local, originating from apache@localhost

I think a new security bulliten needs to be issued on this topic.

Here is what I know:

When my HP-UX server was running apache 1.3.27 from hp depots, this vulnerability was exploited. Now that its running apache 2.0.48 from depots, the problem does not appear to be happening.

I'm only running one web page hpuxconsulting.com off that server, which is simply experiment to see if i can do it.

On my Linux apache 1.3.27 server the exploit continues. I have blocked the IP addresses of the violators with the iptables firewall.

What I need to know if possible is:

1) How the exploit actually works. What does the spammer do and how can I stop it. Don't post a cookbook to this forum, I'll have hp erase it. Tell me you have a cookbook here so I can give you points and then email me at investmenttool@yahoo.com

2) Does the upgrade from apache 1.3 to apache 2.0 actually solve the problem?

3) Anything else that can help.

You know I'm a liberal point giver. I am indebted in advance for your help. As a result of this issue I've been getting mail boucnes back from aol and yahoo. Its impossible to operate an nsp without good relations with those two providers.

SEP

Re: Serious apache formscript security problem

Steven E. Protter — Fri, 23 Jan 2004 11:35:42 GMT

As a short term solution:

What about running Bastille and putting apache in a chroot jail? Would that help?

Help!

SEP

Re: Serious apache formscript security problem

Keith Buck — Mon, 26 Jan 2004 13:52:47 GMT

Steven,

Not sure I'm following you completely, so I'll only respond with what I do know for sure.

Looks like you've found a 'short term solution' on HP-UX by upgrading to Apache 2. Bastille only chroot's Apache on HP-UX, so you'd have to do the Linux chroot manually. Chroot'ing is always a nice second line of defense, but I can't say for sure how much it will help this specific issue.

Hope that helps a little.

-Keith

Re: Serious apache formscript security problem

Steven E. Protter — Mon, 26 Jan 2004 14:00:37 GMT

Thanks Keith,

I think the fact that I only have one website running on the HP-UX box under apache 2.0 is a pretty poor test group.

I'm thinking about moving the two targeted websites to the HP-UX box and see what happens with continued victimization.

On the short term, the two formscripts that were getting used were only called in one form, so I renamed the script, renamed the call to the script.

Then i monitored the apache error_log and took note of the exploit attempts not associated with a prior load of the page that is supposed to call the cgi script.

Those users are now blocked at the firewall which is a Linux Box.

I'm wondering if anyone else has experienced this problem and if Apache 2.0 fixed it.

I will teach anybody that wants to check how to look for the exploit.

SEP

Re: Serious apache formscript security problem

Steven E. Protter — Tue, 27 Jan 2004 01:59:01 GMT

Careful analysis of the logs show this:

The only web sites exploited were:

Those missing the robots.txt file that stops people from running my cgi scripts.

Looks like I did this to myself with poor security practice.

Bad Sysadmin
No supper for Steve

SEP

Re: Serious apache formscript security problem

Christopher Caldwell — Thu, 29 Jan 2004 16:03:17 GMT

"FormMail" type scripts have a number of security issues that should be addressed during implementation. Most notable are failure to validate/cleanse user submitted data, and a configuration that sets up a trust relationship between the web server user and sendmail, without reservation. This trust relationship effectively bypasses anti-relay rulesets and other sendmail security/anti-spam measures.

The simple fixes are
1) always validate and cleanse user input
2) use techniques like "allowed recipients" to mitigate spam and relay abuses.

If you Google for "FormMail security" you'll find a number of references that speak to "how _not_ to do it" and a plethora of suggestions on "how to do it".

Re: Serious apache formscript security problem

Steven E. Protter — Thu, 29 Jan 2004 16:05:09 GMT

Thanks Chris.

All hail google.

Great suggestion.

SEP

Re: Serious apache formscript security problem

Steven E. Protter — Tue, 03 Feb 2004 14:13:32 GMT

I have dropped the number of allowable recipients in a smtp package in sendmail.cf from the standard 100 to 10.

This should make spam very inefficient.

Studying formscript security. I have robots.txt files all over create.

If its in a subdicrecty of the documentroot do the entries need to be adjusted?

does /cgi-bin/ become ../cgi-bin ??

SEP

Re: Serious apache formscript security problem

Steven E. Protter — Tue, 03 Feb 2004 16:29:04 GMT

Thanks to Chris I have found an expliot that I can use to attempt to send mail on all of my scripts.

robots.txt fixes it. There is a new model for cgi scripts that is much more secure. All new scripts will have to be done that way.

All older scripts are being checked.

There was an exploit this morning because I left a html page that refers to a formscript sitting in a backup directory.'

Got to clean up that web server.

SEP

Re: Serious apache formscript security problem

Steven E. Protter — Tue, 03 Feb 2004 17:21:35 GMT

At the timestamp in this firewall record, there was a failed exploit attempt on my mail server.

jerusalem kernel: IN=eth0 OUT= MAC=00:c0:9f:08:2a:8c:00:20:6f:13:a0:7c:08:00 src=194.204.170.254 DST=66.92.143.194 LEN=56 TOS=0x00 PREC=0x00 TTL=235 ID=48644 PROTO=ICMP TYPE=3 CODE=13 [src=66.92.143.194 DST=194.204.171.226 LEN=60 TOS=0x00 PREC=0x00 TTL=43 ID=17884 DF PROTO=TCP INCOMPLETE [8 bytes] ]

Right after this 500 mails failed to relay because I have relay blocked.

I'm now kind of wondering since I've shut down cgi exploit how this attempt was done.

Chis Caldwell gets a Rabbit if he posts in again.

SEP