Intuitive Japanese Calligraphic Ideogram Intuitive Systems: Leadership for the 21st Century: online strategies and communications

The Business Blog at Intuitive.com

Dave Taylor
Dave Taylor has been involved with the online world since 1980 and is recognized globally as an expert on both technical and business issues. He has been published over a thousand times, launched four Internet-related startup companies, has written twenty business and technical books and holds both an MBA and MS Ed. He's a columnist for the Boulder Daily Camera and Linux Journal and frequently appears in other publications both online and in print. Additionally, Dave maintains four weblogs: The Business Blog at Intuitive.com, Ask Dave Taylor, Dave On Film, and GoFahterhood. Based in beautiful Boulder, Colorado, Dave is an award-winning speaker, sought after conference and workshop participant and frequent guest on radio and podcast programs, as well as active member of his community and busy single father to three children.

How do Hackers exploit poorly written CGI forms?

Night after night, at about midnight, I have my contact form probed by a hacker. It never works, but he keeps trying. So today my friend Leo Notenboom and I tweaked the code slightly so we could see exactly what he was trying to do, and lo and behold, as of a few minutes ago, here's what we saw... 

  Name : voldak1@aol.com\012To: voldak1@aol.com\012From: voldak1@aol.com\012Subject: eyD(B837E426,name)LnMH\012\012jPaTdaIhWzo 8U8nRk nWmknKJwS77GVlB905OqGlQV8WKF2WPpPuQOUGkAZIso2qH jdM  vPa3Uu9chcxV4xMqiGMZkAEyE\012\012.\012\012
  Email: voldak1@aol.com\012To: voldak1@aol.com\012From: voldak1@aol.com\012Subject: ESF(B837E426,email)\012\012clcgzcMbn23vfgKEfTgt7PJVD0mq3E\012\012.\012\012
  Phone: voldak1@aol.com\012To: voldak1@aol.com\012From: voldak1@aol.com\012Subject: aXWkFI(B837E426,phone) Yy\012\012ZFMWlTe0GZfVlymddZpuICrao4Jsbgx1rFT8ro09lWL\012\012.\012\012
An explanation is pretty important: Every time you see a \012 sequence, that's a line feed. Normal form data doesn't embed line feeds, particularly for values like 'name' and 'email address', while this person - apparently voldak1@aol.com - is including them in an attempt to step outside of the form data to mail code on the backend CGI script. To make this more clear, here's that same blob of data, with his input highlighted in red: 
  Name : voldak1@aol.com\012To: voldak1@aol.com\012From: voldak1@aol.com\012Subject: eyD(B837E426,name)LnMH\012\012jPaTdaIhWzo 8U8nRk nWmknKJwS77GVlB905OqGlQV8WKF2WPpPuQOUGkAZIso2qH jdM  vPa3Uu9chcxV4xMqiGMZkAEyE\012\012.\012\012
  Email: voldak1@aol.com\012To: voldak1@aol.com\012From: voldak1@aol.com\012Subject: ESF(B837E426,email)\012\012clcgzcMbn23vfgKEfTgt7PJVD0mq3E\012\012.\012\012
  Phone: voldak1@aol.com\012To: voldak1@aol.com\012From: voldak1@aol.com\012Subject: aXWkFI(B837E426,phone) Yy\012\012ZFMWlTe0GZfVlymddZpuICrao4Jsbgx1rFT8ro09lWL\012\012.\012\012
Can you see the pattern here? If we unwrap this by replacing all the \012 sequences with line feeds, watch what appears for one of the otherwise cryptic values entered: 
voldak1@aol.com
To: voldak1@aol.com
From: voldak1@aol.com
Subject: ESF(B837E426,email)

clcgzcMbn23vfgKEfTgt7PJVD0mq3E
What the subject and body values are is a mystery to me. Is it something encrypted? Or just junk as part of a test? This, by the way, is the same vulnerability that was exploited in the Formmail Vulnerability activity of the last few weeks.

What's also interesting is that there's a fourth field in the form that indicates the subject of the query, and it always has a value, even if it's just the default "(choose a subject)". But the information from this guy has a blank value. What does that tell me? That he's using a program that scraped the form for field names (or guesses common names like 'name', 'email', 'address', etc) and is using his own Web front-end to feed data to my form. So even if I embed secret information or confirmation information in my HTML form, he won't see it.

Whichever it is, if you've got your own CGI scripts, this should be a wakeup call to you that it is genuinely important to be conscious of security and make sure you've got things locked down as tight as possible.

Posted by Dave Taylor at November 8, 2003 12:18 AM

Comments

And in a remarkable demonstration of blind persistence, even after I've sent mail to the AOL chap, and even after he's had night after night of zero results, he continues to try and hit my form with exactly the same attack (read that as "form data") every night at around midnight. Always from the same three IP addresses.

Posted by: Dave Taylor on November 14, 2003 9:48 PM
Insider's Guide to Blogging
Before you leave a comment, a tip: If you're interested in blogging, you should sign up for my Blogsmart News so you can stay up to date on the latest insider tips and ideas for your Internet business and marketing efforts. Sign up right now and you'll get a free copy of my "Insider's Guide to Blogging" ebook too!
 
Post a comment




Because I value your thoughtful opinions, I encourage you to add a comment to this discussion. Don't be offended if I edit your comments for clarity or to keep out questionable matters, however, and I may even delete off-topic comments.
spacer
spacer
strategic management consulting @ intuitive systems
spacer
management consulting and communications leadership
spacer
communicate: writing
spacer
engage, learn: teaching
spacer
listen, think: speaking
spacer
visualize:photography
spacer
insight: The Blog life business weblog
spacer
contact dave taylor
spacer
spacer


Search Google
Intuitive.com
Subscription Options
XML
Add to My Yahoo!
Elsewhere in my Blogosphere
Ask Dave Taylor!
How can I pair a bluetooth speaker with my MacBook Pro?
Is my copy of Windows 7 "activated" and genuine?
The Scoop on Merchant Services and Credit Card Processing?
How can I change my Windows PC computer name?
Introduction to Google Docs Spreadsheets
Dave On Film
Review: Chronicle
"Ferris Bueller's Day Off" Superbowl Advert
Review: Soylent Green
Review: Sherlock Holmes: A Game of Shadows
Review: The Iron Lady
Parenting Blog
Teens, Soda Consumption and Marketing
Cool Charity: Cooking with the Troops
Checkpoints and Boundaries
Social Networks for Children? Not so much...
How Does TV Affect Your Kids?
Latest Entries at
The Business Blog
Chevy, Ford, 2012 and Blunt Superbowl Adverts
HP markets to stereotypes? Ugh.
Tip: There's an Art to Formatting a Press Release
What's the future of laptop PCs versus tablets?
Data security and the CLEAR airport security card
Biometrics and my application for the CLEAR card
Top Tips for Coping With Fear of Public Speaking
Join me for a Facebook & Social Media Marketing workshop
Smart: Visa's new Online Shopping Card
Social media really does matter to SEO
Notifications on Google Plus are broken
Hey Facebook, just let people deactivate their accounts...
Nice job with the mobile search updates, Google!
Contracts after the company goes under?
How not to email someone a press release
Understanding the Legal Structure of Business
Email for business? Get a real domain!
Skirting the edge of startups
An Overview of eDiscovery in Litigation
Your iPhone is tracking your every move...
Another reason why Amazon.com's the online retailer to beat
The risky business of April Fools Day
Letter from Reid Hoffman: I'm LinkedIn Member #11,147
Running the Numbers on the Best Buy "Buy Back" Program
Writing Copy that Targets Affluent Boomers
Has LinkedIn Become a Time Drain?
Watch my talk on Work/Life Balance
Best Buy Mobile: Another win for Best Buy
How to Implement a National / Internet Sales Tax
Brilliant ad campaign from Electronic Arts
The Future of Cars is Gadget-based, not Mechanical
Hotel Internet per-laptop? You're obsolete!
Too late to negotiate a raise with my new job?
Best place to host an academic blog?
How I upgraded my iPhone and made $100
The Cost of Marc Andreessen's $100mil investment
Of Dangerous SEO Consultants and Commoditization
The Killer Feature Missing in My Apple TV: A Film Archive
Interview with Metroseen's Mark Montalbano
How to be a great conference speaker
Three reasons you shouldn't outsource your freelance work
Musical discovery in the digital age: Owl City -> The Postal Service
Win a signed copy of Jim Kukral's book "Attention"
HP and Apple demonstrate execs need to own up to their mistakes too
Sony prohibits Internet sales for its ES line
Recommended Facebook Privacy Settings: Everyone?
Sign up now for my week-long Web Marketing and Social Media workshop
Interview with the ultra-connected Vincent Wright
How to Create Great Presentation Slides
Job Interview: What ARE your strengths and weaknesses?
..
Blogdex | Blogarama | BlogPhiles | BlogStreet | BlogShares | << Colorado Blogs >> | Search4Blogs

RDF XML GeoURL Add to My Yahoo!
social media / blogging public speaker - colorado photography - film blog - business blog - online tech support
easy to design business cards -- business reviews --
check printing Printing at www.printlion.com
© 2010 by Dave Taylor and Intuitive Systems, LLC. All Rights Reserved.

Valid CSS!