Re: SPAM attempts through WebDNA (Was Serious WebDNA Issue)

This WebDNA talk-list message is from

2006


It keeps the original formatting.
numero = 68181
interpreted = N
texte = Thanks for this, I'll take a look at putting together a white list solution. Still very curious why this injected code appeared seemingly randomly in a WebDNA page on a totally different site (on the same server) Mark. On 22 Nov 2006, at 09:56, sal danna wrote: > Read this article for more info on this. > > Malicious Code Injection: It's Not Just For SQL Anymore > http://www.lockergnome.com/nexus/web?cat=57 > > The only real way to defend against all malicious code injection > attacks is to validate every input from every user. While establishing > a list of "bad" input values that should be blocked (a blacklist) may > seem like an appropriate first step, this approach is extremely > limited. A finite list of problems simply gives hackers the > opportunity to discover ways around your list. There is simply no way > to make sure that you are covering every possibility with your > blacklist, so you are still leaving the application vulnerable to > malicious code injections. > > The correct way to validate input is to start instead with a whitelist > - a list of allowable options. For example, a whitelist may allow > usernames that fit within specific parameters - only eight characters > long with no punctuation or symbols, and so on. This can reduce the > surface area of a malicious code injection attack by specifying the > proper format for the input into the field. The application can then > reject input that does not fit the established format. This approach > (unlike a blacklist) can prevent not only known, current attacks but > also unknown, future attacks. > > To be completely thorough, a developer should set up both white- and > blacklists in order to cover all bases. In this way, the whitelist can > be used to block the majority of attacks, while the blacklist can > cover specific edge cases not handled by the whitelist. To protect > against SQL injection, a whitelist could allow only alphanumeric > input, while a "backup" blacklist could specifically disallow common > SQL verbs like SELECT and UPDATE. > > Sal D'Anna > > On 11/21/06, Mark Derrick > wrote: >> Doing some more research on this, I've tracked down the request >> that sent this >> data to my site. >> It was POSTed directly to my search results page using expected >> variables - >> full details shown below. >> It sent it's SPAM message in the Cart field, and then sent >> "a5042%40popxpress.com" as the value for the remainder of the >> fields that >> should have been present - although several were actually missing. >> >> The effect of this was that the SPAM content of this request then >> appeared to >> have been cached by WebDNA and was displayed several times in >> place of an >> [Include] file - throwing this up on pages displayed to customers >> on a totally >> different WebDNA site running on the same server - this continued >> until the >> server was restarted. >> >> Two questions >> (1) How can I block this happening witgh a Mod Rewrite? >> (2) Why is WebDNA caching this data? >> >> I understand that they're hoping my server will send this message >> out when it >> processes the request, but I'm confused to the reasons for >> replacing the rest >> of the variable values with "a5042%40popxpress.com", what is this >> supposed to >> achieve? >> >> http://www.popxpress.com/ >> /result.tpl >> cart=biotics%0D%0AContent-Type%3A+multipart%2Falternative%3B+%0A+++ >> +++++++++++boundary%3Dc286c15078fef19919450df6f8510b92%0AX-Mailer% >> 3A+GoldMine+%5B5.50.10111%5D%0ASubject%3A+can+be%0Acc%3A >> +homejspoljar%40aol.com%0Acc%3A+ca23comerww%40aol.com%0Acc%3A >> +lostsurfer4life%40aol.com%0Acc%3A+fkuntz7575%40aol.com%0Acc%3A >> +doggybone174%40aol.com%0Acc%3A+sweetjlf%40aol.com%0Acc%3A+ringoent >> %40aol.com%0Acc%3A+snowmeow98%40aol.com%0Acc%3A+topcopl2%40aol.com% >> 0Acc%3A+dcpsychomunky%40aol.com%0Acc%3A+felix1484860273%40aol.com% >> 0A%0A--c286c15078fef19919450df6f8510b92%0AContent-Transfer-Encoding >> %3A+7bit%0AContent-Type%3A+text%2Fplain%0A%0Anot+come+from+surface >> +contact.+n+fact%0A%0A--c286c15078fef19919450df6f8510b92%0AContent- >> Transfer-Encoding%3A+8bit%0AContent-Type%3A+text%2Fplain%0A%0Aa >> +gammon+joint.+ashers+of+bacon+are+a+main+constituent+of+the >> +traditional+%0Arish+breakfast%2C+along+with+sausages.+lthough >> +ritain+has+a+large+pork+and+%0Abacon+industry%2C+much+of+the+bacon >> +consumed+in+ritain+is+produced+in+enmark%2C+%0Aand+marketed+as >> +anish+bacon+%28the+word+anish+is+stamped+on%0A%0A-- >> c286c15078fef19919450df6f8510b92--%0A.%0A&startat=a5042% >> 40popxpress.com&max=a5042%40popxpress.com&Submit=a5042% >> 40popxpress.com&wagroup1data=a5042%40popxpress.com&link=a5042% >> 40popxpress.com&SortOrder=a5042%40popxpress.com&listing=a5042% >> 40popxpress.com&allreqd=a5042%40popxpress.com&group1field=a5042% >> 40popxpress.com REFERER=http%3A//www.popxpress.com/ >> &HOST=www.popxpress.com&CONTENT-TYPE=application/x-www-form- >> urlencoded&CONNECTION=Keep-Alive&CONTENT- >> LENGTH=1394&CONNECTION=close& >> >> >> On Tue, 21 Nov 2006 10:18:26 +0000 >> Mark Derrick wrote: >> > I seem to be having a very similar problem, but with a slight twist >> > >> > Last night, the following text was served in the place of an >> included txt >> >file. >> > >> > : sweetjlf@aol.comcc: ringoent@aol.comcc: snowmeow98@aol.comcc: >> > topcopl2@aol.comcc: dcpsychomunky@aol.comcc: >> felix1484860273@aol.com-- >> >c286c15078fef19919450df6f8510b92Content-Transfer-Encoding: >> 7bitContent-Type: >> >text/plainnot come from surface contact. n fact-- >> >c286c15078fef19919450df6f8510b92Content-Transfer-Encoding: >> 8bitContent-Type: >> >text/plaina gammon joint. ashers of bacon are a main constituent >> of the >> >traditional rish breakfast, along with sausages. lthough ritain >> has a large >> >pork and bacon industry, much of the bacon consumed in ritain is >> produced in >> >enmark, and marketed as anish bacon (the word anish is stamped on-- >> >c286c15078fef19919450df6f8510b92--. >> > >> > The rest of the page was fine, but where [INCLUDE file=^includes/ >> >sample.txt] was supposed to go, this text appeared instead. >> > >> > The text file which should have been included has not changed at >> all, and >> >is now appearing correctly. >> > Because of this, I cannot see any reason why the above text was >> displayed. >> > >> > It's obviously someone trying to send Spam through our server - >> but why it >> >has appeared within a page is seriously worrying me. >> > Is WebDNA caching this data and somehow then using it when >> calling an >> > [include] to build a page? >> > >> > Generally people can try to send spam through my server all >> they want, >> >because I know the server is well protected against such >> behaviour - but >> >after seeing text like this appearing within my pages, I'm now >> starting to >> >seriously worry about WebDNA's security. >> > >> > >> > Thanks for any help you can offer. >> > >> > Mark. >> > >> > ------------------------------------------------------------- >> > This message is sent to you because you are subscribed to >> > the mailing list . >> > To unsubscribe, E-mail to: >> > To switch to the DIGEST mode, E-mail to >> > >> > Web Archive of this list is at: http://webdna.smithmicro.com/ >> >> >> ------------------------------------------------------------- >> This message is sent to you because you are subscribed to >> the mailing list . >> To unsubscribe, E-mail to: >> To switch to the DIGEST mode, E-mail to > digest@talk.smithmicro.com> >> Web Archive of this list is at: http://webdna.smithmicro.com/ >> > > ------------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > To switch to the DIGEST mode, E-mail to digest@talk.smithmicro.com> > Web Archive of this list is at: http://webdna.smithmicro.com/ ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/ Associated Messages, from the most recent to the oldest:

    
  1. Re: SPAM attempts through WebDNA (Was Serious WebDNA Issue) ( Mark Derrick 2006)
  2. Re: SPAM attempts through WebDNA (Was Serious WebDNA Issue) ( "sal danna" 2006)
  3. SPAM attempts through WebDNA (Was Serious WebDNA Issue) ( "Mark Derrick" 2006)
Thanks for this, I'll take a look at putting together a white list solution. Still very curious why this injected code appeared seemingly randomly in a WebDNA page on a totally different site (on the same server) Mark. On 22 Nov 2006, at 09:56, sal danna wrote: > Read this article for more info on this. > > Malicious Code Injection: It's Not Just For SQL Anymore > http://www.lockergnome.com/nexus/web?cat=57 > > The only real way to defend against all malicious code injection > attacks is to validate every input from every user. While establishing > a list of "bad" input values that should be blocked (a blacklist) may > seem like an appropriate first step, this approach is extremely > limited. A finite list of problems simply gives hackers the > opportunity to discover ways around your list. There is simply no way > to make sure that you are covering every possibility with your > blacklist, so you are still leaving the application vulnerable to > malicious code injections. > > The correct way to validate input is to start instead with a whitelist > - a list of allowable options. For example, a whitelist may allow > usernames that fit within specific parameters - only eight characters > long with no punctuation or symbols, and so on. This can reduce the > surface area of a malicious code injection attack by specifying the > proper format for the input into the field. The application can then > reject input that does not fit the established format. This approach > (unlike a blacklist) can prevent not only known, current attacks but > also unknown, future attacks. > > To be completely thorough, a developer should set up both white- and > blacklists in order to cover all bases. In this way, the whitelist can > be used to block the majority of attacks, while the blacklist can > cover specific edge cases not handled by the whitelist. To protect > against SQL injection, a whitelist could allow only alphanumeric > input, while a "backup" blacklist could specifically disallow common > SQL verbs like SELECT and UPDATE. > > Sal D'Anna > > On 11/21/06, Mark Derrick > wrote: >> Doing some more research on this, I've tracked down the request >> that sent this >> data to my site. >> It was POSTed directly to my search results page using expected >> variables - >> full details shown below. >> It sent it's SPAM message in the Cart field, and then sent >> "a5042%40popxpress.com" as the value for the remainder of the >> fields that >> should have been present - although several were actually missing. >> >> The effect of this was that the SPAM content of this request then >> appeared to >> have been cached by WebDNA and was displayed several times in >> place of an >> [include] file - throwing this up on pages displayed to customers >> on a totally >> different WebDNA site running on the same server - this continued >> until the >> server was restarted. >> >> Two questions >> (1) How can I block this happening witgh a Mod Rewrite? >> (2) Why is WebDNA caching this data? >> >> I understand that they're hoping my server will send this message >> out when it >> processes the request, but I'm confused to the reasons for >> replacing the rest >> of the variable values with "a5042%40popxpress.com", what is this >> supposed to >> achieve? >> >> http://www.popxpress.com/ >> /result.tpl >> cart=biotics%0D%0AContent-Type%3A+multipart%2Falternative%3B+%0A+++ >> +++++++++++boundary%3Dc286c15078fef19919450df6f8510b92%0AX-Mailer% >> 3A+GoldMine+%5B5.50.10111%5D%0ASubject%3A+can+be%0Acc%3A >> +homejspoljar%40aol.com%0Acc%3A+ca23comerww%40aol.com%0Acc%3A >> +lostsurfer4life%40aol.com%0Acc%3A+fkuntz7575%40aol.com%0Acc%3A >> +doggybone174%40aol.com%0Acc%3A+sweetjlf%40aol.com%0Acc%3A+ringoent >> %40aol.com%0Acc%3A+snowmeow98%40aol.com%0Acc%3A+topcopl2%40aol.com% >> 0Acc%3A+dcpsychomunky%40aol.com%0Acc%3A+felix1484860273%40aol.com% >> 0A%0A--c286c15078fef19919450df6f8510b92%0AContent-Transfer-Encoding >> %3A+7bit%0AContent-Type%3A+text%2Fplain%0A%0Anot+come+from+surface >> +contact.+n+fact%0A%0A--c286c15078fef19919450df6f8510b92%0AContent- >> Transfer-Encoding%3A+8bit%0AContent-Type%3A+text%2Fplain%0A%0Aa >> +gammon+joint.+ashers+of+bacon+are+a+main+constituent+of+the >> +traditional+%0Arish+breakfast%2C+along+with+sausages.+lthough >> +ritain+has+a+large+pork+and+%0Abacon+industry%2C+much+of+the+bacon >> +consumed+in+ritain+is+produced+in+enmark%2C+%0Aand+marketed+as >> +anish+bacon+%28the+word+anish+is+stamped+on%0A%0A-- >> c286c15078fef19919450df6f8510b92--%0A.%0A&startat=a5042% >> 40popxpress.com&max=a5042%40popxpress.com&Submit=a5042% >> 40popxpress.com&wagroup1data=a5042%40popxpress.com&link=a5042% >> 40popxpress.com&SortOrder=a5042%40popxpress.com&listing=a5042% >> 40popxpress.com&allreqd=a5042%40popxpress.com&group1field=a5042% >> 40popxpress.com REFERER=http%3A//www.popxpress.com/ >> &HOST=www.popxpress.com&CONTENT-TYPE=application/x-www-form- >> urlencoded&CONNECTION=Keep-Alive&CONTENT- >> LENGTH=1394&CONNECTION=close& >> >> >> On Tue, 21 Nov 2006 10:18:26 +0000 >> Mark Derrick wrote: >> > I seem to be having a very similar problem, but with a slight twist >> > >> > Last night, the following text was served in the place of an >> included txt >> >file. >> > >> > : sweetjlf@aol.comcc: ringoent@aol.comcc: snowmeow98@aol.comcc: >> > topcopl2@aol.comcc: dcpsychomunky@aol.comcc: >> felix1484860273@aol.com-- >> >c286c15078fef19919450df6f8510b92Content-Transfer-Encoding: >> 7bitContent-Type: >> >text/plainnot come from surface contact. n fact-- >> >c286c15078fef19919450df6f8510b92Content-Transfer-Encoding: >> 8bitContent-Type: >> >text/plaina gammon joint. ashers of bacon are a main constituent >> of the >> >traditional rish breakfast, along with sausages. lthough ritain >> has a large >> >pork and bacon industry, much of the bacon consumed in ritain is >> produced in >> >enmark, and marketed as anish bacon (the word anish is stamped on-- >> >c286c15078fef19919450df6f8510b92--. >> > >> > The rest of the page was fine, but where [INCLUDE file=^includes/ >> >sample.txt] was supposed to go, this text appeared instead. >> > >> > The text file which should have been included has not changed at >> all, and >> >is now appearing correctly. >> > Because of this, I cannot see any reason why the above text was >> displayed. >> > >> > It's obviously someone trying to send Spam through our server - >> but why it >> >has appeared within a page is seriously worrying me. >> > Is WebDNA caching this data and somehow then using it when >> calling an >> > [include] to build a page? >> > >> > Generally people can try to send spam through my server all >> they want, >> >because I know the server is well protected against such >> behaviour - but >> >after seeing text like this appearing within my pages, I'm now >> starting to >> >seriously worry about WebDNA's security. >> > >> > >> > Thanks for any help you can offer. >> > >> > Mark. >> > >> > ------------------------------------------------------------- >> > This message is sent to you because you are subscribed to >> > the mailing list . >> > To unsubscribe, E-mail to: >> > To switch to the DIGEST mode, E-mail to >> > >> > Web Archive of this list is at: http://webdna.smithmicro.com/ >> >> >> ------------------------------------------------------------- >> This message is sent to you because you are subscribed to >> the mailing list . >> To unsubscribe, E-mail to: >> To switch to the DIGEST mode, E-mail to > digest@talk.smithmicro.com> >> Web Archive of this list is at: http://webdna.smithmicro.com/ >> > > ------------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > To switch to the DIGEST mode, E-mail to digest@talk.smithmicro.com> > Web Archive of this list is at: http://webdna.smithmicro.com/ ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/ Mark Derrick

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

Protect vs Authenicate (1997) Newbie questions (1999) RE: counters from other site? (1998) international time (1997) [WebDNA] calling a webDNA tmpl from PHP? (2008) Trouble with Showif and Search (1998) and more [shipcost].... (2001) BadSuffix with 2.1b3 cgi (1997) multiple search commands (1997) b18 problem on NT 4.0 (1997) [OT] DOD again (2003) Free Authorize.net (2004) View order not right (1997) Help with Shipping Costs (1997) Re[2]: 2nd WebCatalog2 Feature Request (1996) Loss in Form (1998) Can you do this??? and other stuff (1997) Robert Minor duplicate mail (1997) It just Does't add up!!! (1997) Searching multiple Databases (1997)