The following threads were triggered by this flaw and should be read to understand what is going on:
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=333766http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=358250The sendmail holes have been closed and HP has issues a security bulliten concerning sendmail.
I think this may be an apache issue.
What happens is a spammer finds the location of a cgi formscript(i will attach one).
By running this script directly(it must be rx other to run on web pages) a spammer is able to trick the sendmail server into relaying mail because the mail appears to be local, originating from apache@localhost
I think a new security bulliten needs to be issued on this topic.
Here is what I know:
When my HP-UX server was running apache 1.3.27 from hp depots, this vulnerability was exploited. Now that its running apache 2.0.48 from depots, the problem does not appear to be happening.
I'm only running one web page hpuxconsulting.com off that server, which is simply experiment to see if i can do it.
On my Linux apache 1.3.27 server the exploit continues. I have blocked the IP addresses of the violators with the iptables firewall.
What I need to know if possible is:
1) How the exploit actually works. What does the spammer do and how can I stop it. Don't post a cookbook to this forum, I'll have hp erase it. Tell me you have a cookbook here so I can give you points and then email me at investmenttool@yahoo.com
2) Does the upgrade from apache 1.3 to apache 2.0 actually solve the problem?
3) Anything else that can help.
You know I'm a liberal point giver. I am indebted in advance for your help. As a result of this issue I've been getting mail boucnes back from aol and yahoo. Its impossible to operate an nsp without good relations with those two providers.
SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
