alt Hacker NewsWorking for an ISP in the mid 00s, the lack of security of those scripts was an absolute nightmare. It was a routine task to have to go clean up the mess they made, everything from simple "Being used to relay spam" on up.
Replies
We simply banned them.
If I recall correctly, they were explicitly mentioned in our t&cs, and we had a filter on our ftp server which would quarantine them & email an explanation to the uploader.
For FormMail, we automatically substituted the London.pm nms drop-in compatible version (mentioned in the article). For the others, we provided a link to the nms versions and had our support team reach out and offer assistance with converting their site to use them.
It saved us endless trouble - the MSA FormMail was responsible for so much spam in the 2000 - 2002 period.
About once a week: "Why is our outbound bandwidth saturated? Oh, look! A new FormMail exploit!"
I think my all-time favorite was an SMTP injection. I don't remember the exact details, but it was pretty close to this:
* The script accepted a form POST and decoded it.
* It opened a pipe to sendmail.
* It wrote the expected SMTP headers to sendmail's stdin.
* Then it wrote the decoded POST body as-is into sendmail's stdin.
Thing is, that method used in-band signaling. This is the part I forget exactly, but you could send in the POST body:
That period on a line of its own, followed by two newlines, told sendmail "this message is done. Now listen for the next command." Then it sent the new SMTP headers with whatever damage the attacker wanted to do, and sendmail would obediently process it as though that were the original message.We learned that one the fun way.