Re: SPAM attempts through WebDNA (Was Serious WebDNA Issue)

This WebDNA talk-list message is from

2006

It keeps the original formatting. numero = 68181
interpreted = N
texte = Thanks for this, I'll take a look at putting together a white list solution.Still very curious why this injected code appeared seemingly randomly in a WebDNA page on a totally different site (on the same server)Mark.On 22 Nov 2006, at 09:56, sal danna wrote:> Read this article for more info on this.>> Malicious Code Injection: It's Not Just For SQL Anymore> http://www.lockergnome.com/nexus/web?cat=57>> The only real way to defend against all malicious code injection> attacks is to validate every input from every user. While establishing> a list of "bad" input values that should be blocked (a blacklist) may> seem like an appropriate first step, this approach is extremely> limited. A finite list of problems simply gives hackers the> opportunity to discover ways around your list. There is simply no way> to make sure that you are covering every possibility with your> blacklist, so you are still leaving the application vulnerable to> malicious code injections.>> The correct way to validate input is to start instead with a whitelist> - a list of allowable options. For example, a whitelist may allow> usernames that fit within specific parameters - only eight characters> long with no punctuation or symbols, and so on. This can reduce the> surface area of a malicious code injection attack by specifying the> proper format for the input into the field. The application can then> reject input that does not fit the established format. This approach> (unlike a blacklist) can prevent not only known, current attacks but> also unknown, future attacks.>> To be completely thorough, a developer should set up both white- and> blacklists in order to cover all bases. In this way, the whitelist can> be used to block the majority of attacks, while the blacklist can> cover specific edge cases not handled by the whitelist. To protect> against SQL injection, a whitelist could allow only alphanumeric> input, while a "backup" blacklist could specifically disallow common> SQL verbs like SELECT and UPDATE.>> Sal D'Anna>> On 11/21/06, Mark Derrick > wrote:>> Doing some more research on this, I've tracked down the request >> that sent this>> data to my site.>> It was POSTed directly to my search results page using expected >> variables ->> full details shown below.>> It sent it's SPAM message in the Cart field, and then sent>> "a5042%40popxpress.com" as the value for the remainder of the >> fields that>> should have been present - although several were actually missing.>>>> The effect of this was that the SPAM content of this request then >> appeared to>> have been cached by WebDNA and was displayed several times in >> place of an>> [Include] file - throwing this up on pages displayed to customers >> on a totally>> different WebDNA site running on the same server - this continued >> until the>> server was restarted.>>>> Two questions>> (1) How can I block this happening witgh a Mod Rewrite?>> (2) Why is WebDNA caching this data?>>>> I understand that they're hoping my server will send this message >> out when it>> processes the request, but I'm confused to the reasons for >> replacing the rest>> of the variable values with "a5042%40popxpress.com", what is this >> supposed to>> achieve?>>>> http://www.popxpress.com/>> /result.tpl>> cart=biotics%0D%0AContent-Type%3A+multipart%2Falternative%3B+%0A+++ >> +++++++++++boundary%3Dc286c15078fef19919450df6f8510b92%0AX-Mailer% >> 3A+GoldMine+%5B5.50.10111%5D%0ASubject%3A+can+be%0Acc%3A >> +homejspoljar%40aol.com%0Acc%3A+ca23comerww%40aol.com%0Acc%3A >> +lostsurfer4life%40aol.com%0Acc%3A+fkuntz7575%40aol.com%0Acc%3A >> +doggybone174%40aol.com%0Acc%3A+sweetjlf%40aol.com%0Acc%3A+ringoent >> %40aol.com%0Acc%3A+snowmeow98%40aol.com%0Acc%3A+topcopl2%40aol.com% >> 0Acc%3A+dcpsychomunky%40aol.com%0Acc%3A+felix1484860273%40aol.com% >> 0A%0A--c286c15078fef19919450df6f8510b92%0AContent-Transfer-Encoding >> %3A+7bit%0AContent-Type%3A+text%2Fplain%0A%0Anot+come+from+surface >> +contact.+n+fact%0A%0A--c286c15078fef19919450df6f8510b92%0AContent- >> Transfer-Encoding%3A+8bit%0AContent-Type%3A+text%2Fplain%0A%0Aa >> +gammon+joint.+ashers+of+bacon+are+a+main+constituent+of+the >> +traditional+%0Arish+breakfast%2C+along+with+sausages.+lthough >> +ritain+has+a+large+pork+and+%0Abacon+industry%2C+much+of+the+bacon >> +consumed+in+ritain+is+produced+in+enmark%2C+%0Aand+marketed+as >> +anish+bacon+%28the+word+anish+is+stamped+on%0A%0A-- >> c286c15078fef19919450df6f8510b92--%0A.%0A&startat=a5042% >> 40popxpress.com&max=a5042%40popxpress.com&Submit=a5042% >> 40popxpress.com&wagroup1data=a5042%40popxpress.com&link=a5042% >> 40popxpress.com&SortOrder=a5042%40popxpress.com&listing=a5042% >> 40popxpress.com&allreqd=a5042%40popxpress.com&group1field=a5042% >> 40popxpress.com REFERER=http%3A//www.popxpress.com/ >> &HOST=www.popxpress.com&CONTENT-TYPE=application/x-www-form- >> urlencoded&CONNECTION=Keep-Alive&CONTENT- >> LENGTH=1394&CONNECTION=close&>>>>>> On Tue, 21 Nov 2006 10:18:26 +0000>> Mark Derrick wrote:>> > I seem to be having a very similar problem, but with a slight twist>> >>> > Last night, the following text was served in the place of an >> included txt>> >file.>> >>> > : sweetjlf@aol.comcc: ringoent@aol.comcc: snowmeow98@aol.comcc:>> > topcopl2@aol.comcc: dcpsychomunky@aol.comcc: >> felix1484860273@aol.com-->> >c286c15078fef19919450df6f8510b92Content-Transfer-Encoding: >> 7bitContent-Type:>> >text/plainnot come from surface contact. n fact-->> >c286c15078fef19919450df6f8510b92Content-Transfer-Encoding: >> 8bitContent-Type:>> >text/plaina gammon joint. ashers of bacon are a main constituent >> of the>> >traditional rish breakfast, along with sausages. lthough ritain >> has a large>> >pork and bacon industry, much of the bacon consumed in ritain is >> produced in>> >enmark, and marketed as anish bacon (the word anish is stamped on-->> >c286c15078fef19919450df6f8510b92--.>> >>> > The rest of the page was fine, but where [INCLUDE file=^includes/>> >sample.txt] was supposed to go, this text appeared instead.>> >>> > The text file which should have been included has not changed at >> all, and>> >is now appearing correctly.>> > Because of this, I cannot see any reason why the above text was >> displayed.>> >>> > It's obviously someone trying to send Spam through our server - >> but why it>> >has appeared within a page is seriously worrying me.>> > Is WebDNA caching this data and somehow then using it when >> calling an>> > [include] to build a page?>> >>> > Generally people can try to send spam through my server all >> they want,>> >because I know the server is well protected against such >> behaviour - but>> >after seeing text like this appearing within my pages, I'm now >> starting to>> >seriously worry about WebDNA's security.>> >>> >>> > Thanks for any help you can offer.>> >>> > Mark.>> >>> > ------------------------------------------------------------->> > This message is sent to you because you are subscribed to>> > the mailing list .>> > To unsubscribe, E-mail to: >> > To switch to the DIGEST mode, E-mail to>> >>> > Web Archive of this list is at: http://webdna.smithmicro.com/>>>>>> ------------------------------------------------------------->> This message is sent to you because you are subscribed to>> the mailing list .>> To unsubscribe, E-mail to: >> To switch to the DIGEST mode, E-mail to > digest@talk.smithmicro.com>>> Web Archive of this list is at: http://webdna.smithmicro.com/>>>> -------------------------------------------------------------> This message is sent to you because you are subscribed to> the mailing list .> To unsubscribe, E-mail to: > To switch to the DIGEST mode, E-mail to digest@talk.smithmicro.com>> Web Archive of this list is at: http://webdna.smithmicro.com/-------------------------------------------------------------This message is sent to you because you are subscribed to the mailing list .To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/ Associated Messages, from the most recent to the oldest:

Re: SPAM attempts through WebDNA (Was Serious WebDNA Issue) ( Mark Derrick 2006) Re: SPAM attempts through WebDNA (Was Serious WebDNA Issue) ( "sal danna" 2006) SPAM attempts through WebDNA (Was Serious WebDNA Issue) ( "Mark Derrick" 2006)

Thanks for this, I'll take a look at putting together a white list solution.Still very curious why this injected code appeared seemingly randomly in a WebDNA page on a totally different site (on the same server)Mark.On 22 Nov 2006, at 09:56, sal danna wrote:> Read this article for more info on this.>> Malicious Code Injection: It's Not Just For SQL Anymore> http://www.lockergnome.com/nexus/web?cat=57>> The only real way to defend against all malicious code injection> attacks is to validate every input from every user. While establishing> a list of "bad" input values that should be blocked (a blacklist) may> seem like an appropriate first step, this approach is extremely> limited. A finite list of problems simply gives hackers the> opportunity to discover ways around your list. There is simply no way> to make sure that you are covering every possibility with your> blacklist, so you are still leaving the application vulnerable to> malicious code injections.>> The correct way to validate input is to start instead with a whitelist> - a list of allowable options. For example, a whitelist may allow> usernames that fit within specific parameters - only eight characters> long with no punctuation or symbols, and so on. This can reduce the> surface area of a malicious code injection attack by specifying the> proper format for the input into the field. The application can then> reject input that does not fit the established format. This approach> (unlike a blacklist) can prevent not only known, current attacks but> also unknown, future attacks.>> To be completely thorough, a developer should set up both white- and> blacklists in order to cover all bases. In this way, the whitelist can> be used to block the majority of attacks, while the blacklist can> cover specific edge cases not handled by the whitelist. To protect> against SQL injection, a whitelist could allow only alphanumeric> input, while a "backup" blacklist could specifically disallow common> SQL verbs like SELECT and UPDATE.>> Sal D'Anna>> On 11/21/06, Mark Derrick > wrote:>> Doing some more research on this, I've tracked down the request >> that sent this>> data to my site.>> It was POSTed directly to my search results page using expected >> variables ->> full details shown below.>> It sent it's SPAM message in the Cart field, and then sent>> "a5042%40popxpress.com" as the value for the remainder of the >> fields that>> should have been present - although several were actually missing.>>>> The effect of this was that the SPAM content of this request then >> appeared to>> have been cached by WebDNA and was displayed several times in >> place of an>> [include] file - throwing this up on pages displayed to customers >> on a totally>> different WebDNA site running on the same server - this continued >> until the>> server was restarted.>>>> Two questions>> (1) How can I block this happening witgh a Mod Rewrite?>> (2) Why is WebDNA caching this data?>>>> I understand that they're hoping my server will send this message >> out when it>> processes the request, but I'm confused to the reasons for >> replacing the rest>> of the variable values with "a5042%40popxpress.com", what is this >> supposed to>> achieve?>>>> http://www.popxpress.com/>> /result.tpl>> cart=biotics%0D%0AContent-Type%3A+multipart%2Falternative%3B+%0A+++ >> +++++++++++boundary%3Dc286c15078fef19919450df6f8510b92%0AX-Mailer% >> 3A+GoldMine+%5B5.50.10111%5D%0ASubject%3A+can+be%0Acc%3A >> +homejspoljar%40aol.com%0Acc%3A+ca23comerww%40aol.com%0Acc%3A >> +lostsurfer4life%40aol.com%0Acc%3A+fkuntz7575%40aol.com%0Acc%3A >> +doggybone174%40aol.com%0Acc%3A+sweetjlf%40aol.com%0Acc%3A+ringoent >> %40aol.com%0Acc%3A+snowmeow98%40aol.com%0Acc%3A+topcopl2%40aol.com% >> 0Acc%3A+dcpsychomunky%40aol.com%0Acc%3A+felix1484860273%40aol.com% >> 0A%0A--c286c15078fef19919450df6f8510b92%0AContent-Transfer-Encoding >> %3A+7bit%0AContent-Type%3A+text%2Fplain%0A%0Anot+come+from+surface >> +contact.+n+fact%0A%0A--c286c15078fef19919450df6f8510b92%0AContent- >> Transfer-Encoding%3A+8bit%0AContent-Type%3A+text%2Fplain%0A%0Aa >> +gammon+joint.+ashers+of+bacon+are+a+main+constituent+of+the >> +traditional+%0Arish+breakfast%2C+along+with+sausages.+lthough >> +ritain+has+a+large+pork+and+%0Abacon+industry%2C+much+of+the+bacon >> +consumed+in+ritain+is+produced+in+enmark%2C+%0Aand+marketed+as >> +anish+bacon+%28the+word+anish+is+stamped+on%0A%0A-- >> c286c15078fef19919450df6f8510b92--%0A.%0A&startat=a5042% >> 40popxpress.com&max=a5042%40popxpress.com&Submit=a5042% >> 40popxpress.com&wagroup1data=a5042%40popxpress.com&link=a5042% >> 40popxpress.com&SortOrder=a5042%40popxpress.com&listing=a5042% >> 40popxpress.com&allreqd=a5042%40popxpress.com&group1field=a5042% >> 40popxpress.com REFERER=http%3A//www.popxpress.com/ >> &HOST=www.popxpress.com&CONTENT-TYPE=application/x-www-form- >> urlencoded&CONNECTION=Keep-Alive&CONTENT- >> LENGTH=1394&CONNECTION=close&>>>>>> On Tue, 21 Nov 2006 10:18:26 +0000>> Mark Derrick wrote:>> > I seem to be having a very similar problem, but with a slight twist>> >>> > Last night, the following text was served in the place of an >> included txt>> >file.>> >>> > : sweetjlf@aol.comcc: ringoent@aol.comcc: snowmeow98@aol.comcc:>> > topcopl2@aol.comcc: dcpsychomunky@aol.comcc: >> felix1484860273@aol.com-->> >c286c15078fef19919450df6f8510b92Content-Transfer-Encoding: >> 7bitContent-Type:>> >text/plainnot come from surface contact. n fact-->> >c286c15078fef19919450df6f8510b92Content-Transfer-Encoding: >> 8bitContent-Type:>> >text/plaina gammon joint. ashers of bacon are a main constituent >> of the>> >traditional rish breakfast, along with sausages. lthough ritain >> has a large>> >pork and bacon industry, much of the bacon consumed in ritain is >> produced in>> >enmark, and marketed as anish bacon (the word anish is stamped on-->> >c286c15078fef19919450df6f8510b92--.>> >>> > The rest of the page was fine, but where [INCLUDE file=^includes/>> >sample.txt] was supposed to go, this text appeared instead.>> >>> > The text file which should have been included has not changed at >> all, and>> >is now appearing correctly.>> > Because of this, I cannot see any reason why the above text was >> displayed.>> >>> > It's obviously someone trying to send Spam through our server - >> but why it>> >has appeared within a page is seriously worrying me.>> > Is WebDNA caching this data and somehow then using it when >> calling an>> > [include] to build a page?>> >>> > Generally people can try to send spam through my server all >> they want,>> >because I know the server is well protected against such >> behaviour - but>> >after seeing text like this appearing within my pages, I'm now >> starting to>> >seriously worry about WebDNA's security.>> >>> >>> > Thanks for any help you can offer.>> >>> > Mark.>> >>> > ------------------------------------------------------------->> > This message is sent to you because you are subscribed to>> > the mailing list .>> > To unsubscribe, E-mail to: >> > To switch to the DIGEST mode, E-mail to>> >>> > Web Archive of this list is at: http://webdna.smithmicro.com/>>>>>> ------------------------------------------------------------->> This message is sent to you because you are subscribed to>> the mailing list .>> To unsubscribe, E-mail to: >> To switch to the DIGEST mode, E-mail to > digest@talk.smithmicro.com>>> Web Archive of this list is at: http://webdna.smithmicro.com/>>>> -------------------------------------------------------------> This message is sent to you because you are subscribed to> the mailing list .> To unsubscribe, E-mail to: > To switch to the DIGEST mode, E-mail to digest@talk.smithmicro.com>> Web Archive of this list is at: http://webdna.smithmicro.com/-------------------------------------------------------------This message is sent to you because you are subscribed to the mailing list .To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/ Mark Derrick

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

Purchase Plugin Missing (1996) Size limit for tmpl editor ? (1997) Two submit buttons ? (1997) iTools 7 instructions for 5.1? (2003) PCS Frames-Default page is solution! (1997) Virtual Domains (1998) Re:trouble (1997) This list needs a digest: rant, rave... (1997) Plugin or CGI or both (1997) setting username and password using a form. (2000) Color options for items (1999) database size? (1997) PCS Frames (1997) [WebDNA] Help with STMP Setup using Authentication with Google Apps in WebDNA (2016) Every other record deleted (2005) SAVECART (1997) Email template names (1997) Using a database with a short url (2000) [WriteFile] problems (1997) [WebDNA] Cookie behavior (2010)