[nycphp-talk] worm/virus's hammering feedback scripts?
Michael Southwell
michael.southwell at nyphp.org
Mon Sep 12 12:41:12 EDT 2005
At 12:20 PM 9/12/2005, you wrote:
>Hey Folks:
>
>On Mon, Sep 12, 2005 at 11:16:18AM -0400, Rolan Yang wrote:
>
> > Detection and Solution:
> > The current bot-net probe is known to send its reply to one of several
> > known email addresses on the following list.
>
>A list of addresses is the wrong approach. The email addresses are
>variable and easy to change. More importantly, the content is the issue,
>not the email address.
The point is simply to identify which scripts have sent emails to the
known-bad addresses; those are the vulnerable ones.
> > Vulnerable scripts should be modified to properly filter input fields.
> > Ken Robinson has posted a
> > php example at:
> > http://lists.nyphp.org/pipermail/talk/2005-September/016124.html
>
>That solution is less than perfect. First, it's case sensitive, so misses
>things like "BcC", meaning str_ireplace() would be better. Second, it
>catches things that don't need to be.
There were other problems as well, which I noted in my polished
version. We need an officially sanctioned version of the function
before we can post anything.
>The mere existence of "content-type" or "bcc" in the inputs isn't a
>problem. The danger is having those at the beginning of a line and only
>in fields that get put into the email headers. So, this vulnerability can
>be solved by removing white space characters other than regular spaces
>from any field going into the email headers. Or better yet, only allowing
>letters, numbers, spaces and a few punctuation type characters.
Michael Southwell, Vice President for Education
New York PHP
http://www.nyphp.com/training - In-depth PHP Training Courses
More information about the talk
mailing list