Re: SPAM attempts through WebDNA (Was Serious WebDNA Issue)

This WebDNA talk-list message is from

2006


It keeps the original formatting.
numero = 68181
interpreted = N
texte = Thanks for this, I'll take a look at putting together a white list solution. Still very curious why this injected code appeared seemingly randomly in a WebDNA page on a totally different site (on the same server) Mark. On 22 Nov 2006, at 09:56, sal danna wrote: > Read this article for more info on this. > > Malicious Code Injection: It's Not Just For SQL Anymore > http://www.lockergnome.com/nexus/web?cat=57 > > The only real way to defend against all malicious code injection > attacks is to validate every input from every user. While establishing > a list of "bad" input values that should be blocked (a blacklist) may > seem like an appropriate first step, this approach is extremely > limited. A finite list of problems simply gives hackers the > opportunity to discover ways around your list. There is simply no way > to make sure that you are covering every possibility with your > blacklist, so you are still leaving the application vulnerable to > malicious code injections. > > The correct way to validate input is to start instead with a whitelist > - a list of allowable options. For example, a whitelist may allow > usernames that fit within specific parameters - only eight characters > long with no punctuation or symbols, and so on. This can reduce the > surface area of a malicious code injection attack by specifying the > proper format for the input into the field. The application can then > reject input that does not fit the established format. This approach > (unlike a blacklist) can prevent not only known, current attacks but > also unknown, future attacks. > > To be completely thorough, a developer should set up both white- and > blacklists in order to cover all bases. In this way, the whitelist can > be used to block the majority of attacks, while the blacklist can > cover specific edge cases not handled by the whitelist. To protect > against SQL injection, a whitelist could allow only alphanumeric > input, while a "backup" blacklist could specifically disallow common > SQL verbs like SELECT and UPDATE. > > Sal D'Anna > > On 11/21/06, Mark Derrick > wrote: >> Doing some more research on this, I've tracked down the request >> that sent this >> data to my site. >> It was POSTed directly to my search results page using expected >> variables - >> full details shown below. >> It sent it's SPAM message in the Cart field, and then sent >> "a5042%40popxpress.com" as the value for the remainder of the >> fields that >> should have been present - although several were actually missing. >> >> The effect of this was that the SPAM content of this request then >> appeared to >> have been cached by WebDNA and was displayed several times in >> place of an >> [Include] file - throwing this up on pages displayed to customers >> on a totally >> different WebDNA site running on the same server - this continued >> until the >> server was restarted. >> >> Two questions >> (1) How can I block this happening witgh a Mod Rewrite? >> (2) Why is WebDNA caching this data? >> >> I understand that they're hoping my server will send this message >> out when it >> processes the request, but I'm confused to the reasons for >> replacing the rest >> of the variable values with "a5042%40popxpress.com", what is this >> supposed to >> achieve? >> >> http://www.popxpress.com/ >> /result.tpl >> cart=biotics%0D%0AContent-Type%3A+multipart%2Falternative%3B+%0A+++ >> +++++++++++boundary%3Dc286c15078fef19919450df6f8510b92%0AX-Mailer% >> 3A+GoldMine+%5B5.50.10111%5D%0ASubject%3A+can+be%0Acc%3A >> +homejspoljar%40aol.com%0Acc%3A+ca23comerww%40aol.com%0Acc%3A >> +lostsurfer4life%40aol.com%0Acc%3A+fkuntz7575%40aol.com%0Acc%3A >> +doggybone174%40aol.com%0Acc%3A+sweetjlf%40aol.com%0Acc%3A+ringoent >> %40aol.com%0Acc%3A+snowmeow98%40aol.com%0Acc%3A+topcopl2%40aol.com% >> 0Acc%3A+dcpsychomunky%40aol.com%0Acc%3A+felix1484860273%40aol.com% >> 0A%0A--c286c15078fef19919450df6f8510b92%0AContent-Transfer-Encoding >> %3A+7bit%0AContent-Type%3A+text%2Fplain%0A%0Anot+come+from+surface >> +contact.+n+fact%0A%0A--c286c15078fef19919450df6f8510b92%0AContent- >> Transfer-Encoding%3A+8bit%0AContent-Type%3A+text%2Fplain%0A%0Aa >> +gammon+joint.+ashers+of+bacon+are+a+main+constituent+of+the >> +traditional+%0Arish+breakfast%2C+along+with+sausages.+lthough >> +ritain+has+a+large+pork+and+%0Abacon+industry%2C+much+of+the+bacon >> +consumed+in+ritain+is+produced+in+enmark%2C+%0Aand+marketed+as >> +anish+bacon+%28the+word+anish+is+stamped+on%0A%0A-- >> c286c15078fef19919450df6f8510b92--%0A.%0A&startat=a5042% >> 40popxpress.com&max=a5042%40popxpress.com&Submit=a5042% >> 40popxpress.com&wagroup1data=a5042%40popxpress.com&link=a5042% >> 40popxpress.com&SortOrder=a5042%40popxpress.com&listing=a5042% >> 40popxpress.com&allreqd=a5042%40popxpress.com&group1field=a5042% >> 40popxpress.com REFERER=http%3A//www.popxpress.com/ >> &HOST=www.popxpress.com&CONTENT-TYPE=application/x-www-form- >> urlencoded&CONNECTION=Keep-Alive&CONTENT- >> LENGTH=1394&CONNECTION=close& >> >> >> On Tue, 21 Nov 2006 10:18:26 +0000 >> Mark Derrick wrote: >> > I seem to be having a very similar problem, but with a slight twist >> > >> > Last night, the following text was served in the place of an >> included txt >> >file. >> > >> > : sweetjlf@aol.comcc: ringoent@aol.comcc: snowmeow98@aol.comcc: >> > topcopl2@aol.comcc: dcpsychomunky@aol.comcc: >> felix1484860273@aol.com-- >> >c286c15078fef19919450df6f8510b92Content-Transfer-Encoding: >> 7bitContent-Type: >> >text/plainnot come from surface contact. n fact-- >> >c286c15078fef19919450df6f8510b92Content-Transfer-Encoding: >> 8bitContent-Type: >> >text/plaina gammon joint. ashers of bacon are a main constituent >> of the >> >traditional rish breakfast, along with sausages. lthough ritain >> has a large >> >pork and bacon industry, much of the bacon consumed in ritain is >> produced in >> >enmark, and marketed as anish bacon (the word anish is stamped on-- >> >c286c15078fef19919450df6f8510b92--. >> > >> > The rest of the page was fine, but where [INCLUDE file=^includes/ >> >sample.txt] was supposed to go, this text appeared instead. >> > >> > The text file which should have been included has not changed at >> all, and >> >is now appearing correctly. >> > Because of this, I cannot see any reason why the above text was >> displayed. >> > >> > It's obviously someone trying to send Spam through our server - >> but why it >> >has appeared within a page is seriously worrying me. >> > Is WebDNA caching this data and somehow then using it when >> calling an >> > [include] to build a page? >> > >> > Generally people can try to send spam through my server all >> they want, >> >because I know the server is well protected against such >> behaviour - but >> >after seeing text like this appearing within my pages, I'm now >> starting to >> >seriously worry about WebDNA's security. >> > >> > >> > Thanks for any help you can offer. >> > >> > Mark. >> > >> > ------------------------------------------------------------- >> > This message is sent to you because you are subscribed to >> > the mailing list . >> > To unsubscribe, E-mail to: >> > To switch to the DIGEST mode, E-mail to >> > >> > Web Archive of this list is at: http://webdna.smithmicro.com/ >> >> >> ------------------------------------------------------------- >> This message is sent to you because you are subscribed to >> the mailing list . >> To unsubscribe, E-mail to: >> To switch to the DIGEST mode, E-mail to > digest@talk.smithmicro.com> >> Web Archive of this list is at: http://webdna.smithmicro.com/ >> > > ------------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > To switch to the DIGEST mode, E-mail to digest@talk.smithmicro.com> > Web Archive of this list is at: http://webdna.smithmicro.com/ ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/ Associated Messages, from the most recent to the oldest:

    
  1. Re: SPAM attempts through WebDNA (Was Serious WebDNA Issue) ( Mark Derrick 2006)
  2. Re: SPAM attempts through WebDNA (Was Serious WebDNA Issue) ( "sal danna" 2006)
  3. SPAM attempts through WebDNA (Was Serious WebDNA Issue) ( "Mark Derrick" 2006)
Thanks for this, I'll take a look at putting together a white list solution. Still very curious why this injected code appeared seemingly randomly in a WebDNA page on a totally different site (on the same server) Mark. On 22 Nov 2006, at 09:56, sal danna wrote: > Read this article for more info on this. > > Malicious Code Injection: It's Not Just For SQL Anymore > http://www.lockergnome.com/nexus/web?cat=57 > > The only real way to defend against all malicious code injection > attacks is to validate every input from every user. While establishing > a list of "bad" input values that should be blocked (a blacklist) may > seem like an appropriate first step, this approach is extremely > limited. A finite list of problems simply gives hackers the > opportunity to discover ways around your list. There is simply no way > to make sure that you are covering every possibility with your > blacklist, so you are still leaving the application vulnerable to > malicious code injections. > > The correct way to validate input is to start instead with a whitelist > - a list of allowable options. For example, a whitelist may allow > usernames that fit within specific parameters - only eight characters > long with no punctuation or symbols, and so on. This can reduce the > surface area of a malicious code injection attack by specifying the > proper format for the input into the field. The application can then > reject input that does not fit the established format. This approach > (unlike a blacklist) can prevent not only known, current attacks but > also unknown, future attacks. > > To be completely thorough, a developer should set up both white- and > blacklists in order to cover all bases. In this way, the whitelist can > be used to block the majority of attacks, while the blacklist can > cover specific edge cases not handled by the whitelist. To protect > against SQL injection, a whitelist could allow only alphanumeric > input, while a "backup" blacklist could specifically disallow common > SQL verbs like SELECT and UPDATE. > > Sal D'Anna > > On 11/21/06, Mark Derrick > wrote: >> Doing some more research on this, I've tracked down the request >> that sent this >> data to my site. >> It was POSTed directly to my search results page using expected >> variables - >> full details shown below. >> It sent it's SPAM message in the Cart field, and then sent >> "a5042%40popxpress.com" as the value for the remainder of the >> fields that >> should have been present - although several were actually missing. >> >> The effect of this was that the SPAM content of this request then >> appeared to >> have been cached by WebDNA and was displayed several times in >> place of an >> [include] file - throwing this up on pages displayed to customers >> on a totally >> different WebDNA site running on the same server - this continued >> until the >> server was restarted. >> >> Two questions >> (1) How can I block this happening witgh a Mod Rewrite? >> (2) Why is WebDNA caching this data? >> >> I understand that they're hoping my server will send this message >> out when it >> processes the request, but I'm confused to the reasons for >> replacing the rest >> of the variable values with "a5042%40popxpress.com", what is this >> supposed to >> achieve? >> >> http://www.popxpress.com/ >> /result.tpl >> cart=biotics%0D%0AContent-Type%3A+multipart%2Falternative%3B+%0A+++ >> +++++++++++boundary%3Dc286c15078fef19919450df6f8510b92%0AX-Mailer% >> 3A+GoldMine+%5B5.50.10111%5D%0ASubject%3A+can+be%0Acc%3A >> +homejspoljar%40aol.com%0Acc%3A+ca23comerww%40aol.com%0Acc%3A >> +lostsurfer4life%40aol.com%0Acc%3A+fkuntz7575%40aol.com%0Acc%3A >> +doggybone174%40aol.com%0Acc%3A+sweetjlf%40aol.com%0Acc%3A+ringoent >> %40aol.com%0Acc%3A+snowmeow98%40aol.com%0Acc%3A+topcopl2%40aol.com% >> 0Acc%3A+dcpsychomunky%40aol.com%0Acc%3A+felix1484860273%40aol.com% >> 0A%0A--c286c15078fef19919450df6f8510b92%0AContent-Transfer-Encoding >> %3A+7bit%0AContent-Type%3A+text%2Fplain%0A%0Anot+come+from+surface >> +contact.+n+fact%0A%0A--c286c15078fef19919450df6f8510b92%0AContent- >> Transfer-Encoding%3A+8bit%0AContent-Type%3A+text%2Fplain%0A%0Aa >> +gammon+joint.+ashers+of+bacon+are+a+main+constituent+of+the >> +traditional+%0Arish+breakfast%2C+along+with+sausages.+lthough >> +ritain+has+a+large+pork+and+%0Abacon+industry%2C+much+of+the+bacon >> +consumed+in+ritain+is+produced+in+enmark%2C+%0Aand+marketed+as >> +anish+bacon+%28the+word+anish+is+stamped+on%0A%0A-- >> c286c15078fef19919450df6f8510b92--%0A.%0A&startat=a5042% >> 40popxpress.com&max=a5042%40popxpress.com&Submit=a5042% >> 40popxpress.com&wagroup1data=a5042%40popxpress.com&link=a5042% >> 40popxpress.com&SortOrder=a5042%40popxpress.com&listing=a5042% >> 40popxpress.com&allreqd=a5042%40popxpress.com&group1field=a5042% >> 40popxpress.com REFERER=http%3A//www.popxpress.com/ >> &HOST=www.popxpress.com&CONTENT-TYPE=application/x-www-form- >> urlencoded&CONNECTION=Keep-Alive&CONTENT- >> LENGTH=1394&CONNECTION=close& >> >> >> On Tue, 21 Nov 2006 10:18:26 +0000 >> Mark Derrick wrote: >> > I seem to be having a very similar problem, but with a slight twist >> > >> > Last night, the following text was served in the place of an >> included txt >> >file. >> > >> > : sweetjlf@aol.comcc: ringoent@aol.comcc: snowmeow98@aol.comcc: >> > topcopl2@aol.comcc: dcpsychomunky@aol.comcc: >> felix1484860273@aol.com-- >> >c286c15078fef19919450df6f8510b92Content-Transfer-Encoding: >> 7bitContent-Type: >> >text/plainnot come from surface contact. n fact-- >> >c286c15078fef19919450df6f8510b92Content-Transfer-Encoding: >> 8bitContent-Type: >> >text/plaina gammon joint. ashers of bacon are a main constituent >> of the >> >traditional rish breakfast, along with sausages. lthough ritain >> has a large >> >pork and bacon industry, much of the bacon consumed in ritain is >> produced in >> >enmark, and marketed as anish bacon (the word anish is stamped on-- >> >c286c15078fef19919450df6f8510b92--. >> > >> > The rest of the page was fine, but where [INCLUDE file=^includes/ >> >sample.txt] was supposed to go, this text appeared instead. >> > >> > The text file which should have been included has not changed at >> all, and >> >is now appearing correctly. >> > Because of this, I cannot see any reason why the above text was >> displayed. >> > >> > It's obviously someone trying to send Spam through our server - >> but why it >> >has appeared within a page is seriously worrying me. >> > Is WebDNA caching this data and somehow then using it when >> calling an >> > [include] to build a page? >> > >> > Generally people can try to send spam through my server all >> they want, >> >because I know the server is well protected against such >> behaviour - but >> >after seeing text like this appearing within my pages, I'm now >> starting to >> >seriously worry about WebDNA's security. >> > >> > >> > Thanks for any help you can offer. >> > >> > Mark. >> > >> > ------------------------------------------------------------- >> > This message is sent to you because you are subscribed to >> > the mailing list . >> > To unsubscribe, E-mail to: >> > To switch to the DIGEST mode, E-mail to >> > >> > Web Archive of this list is at: http://webdna.smithmicro.com/ >> >> >> ------------------------------------------------------------- >> This message is sent to you because you are subscribed to >> the mailing list . >> To unsubscribe, E-mail to: >> To switch to the DIGEST mode, E-mail to > digest@talk.smithmicro.com> >> Web Archive of this list is at: http://webdna.smithmicro.com/ >> > > ------------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > To switch to the DIGEST mode, E-mail to digest@talk.smithmicro.com> > Web Archive of this list is at: http://webdna.smithmicro.com/ ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/ Mark Derrick

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

unable to launch acgi in WebCat (1997) Problems when user hit back (2000) possible, WebCat2.0 and checkboxes-restated (1997) File Upload (1997) writefile and texte (1997) I'm new be kind (1997) ADDEMDUM: Which beta for w* 4.1 and a problem w/b12 (1999) Frames and WebCat (1997) 2.0 Info (1997) (1998) [OT] Indexing of dynamic web sites (2003) [WebDNA] generic Ajax question: storing a variable site-wide (2009) Bug Report, maybe (1997) form population (1998) HELP WITH DATES (1997) [WebDNA] [BULK] which of these tags exist in 7.0 (2011) WebTen? (1997) Date stamp and purging (1998) shipping calcs (1998) maximu values for sendmail! (1997)