[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[WEB SECURITY] Re: Problem about detecting "SMTP command injection", i.e. cr lf chars in web forms

From: Jorge Augusto Senger <jorge@xxxxxxxxxxx>
Subject: [WEB SECURITY] Re: Problem about detecting "SMTP command injection", i.e. cr lf chars in web forms
Date: Thu, 24 Aug 2006 14:09:36 -0300

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Maxime,

I think that apache + modsecurity could be a good solution against this
kind off attack.
You can set this with <SecFilterScanPOST On> in modsecurity configuration.

Jorge

Maxime Ducharme wrote:
> Hello guys,
> 	I am looking for a solution to detect attacks
> to web forms which allows to send an email.
> 
> Example :
> contactus.asp which contains these fields :
> 
> - From Name
> - From email
> - Subject
> - text
> 
> We noticed that some programs used to send email does
> not properly filter the 3 first fields for carriage-return and
> line-feed chars, which allows someone to add SMTP commands
> in these fileds and constuct a valid SMTP session which
> this person can control.
> 
> We are currently working at filtering these fileds in the applications
> code, but we host many sites we do not manage.
> 
> I am looking for a way to detect these attacks with snort, is
> someone aware of a rule for this kind of attack, or may help me wrtiing one
> ?
> 
> Any other idea/suggestion is also welcome
> 
> Thanks in advance
> 
> Have a nice day
>  
> Maxime Ducharme
> 
> 
> 
> -------------------------------------------------------------------------
> Sponsored by: Watchfire
> 
> Watchfire was recently named the worldwide market leader in Web 
> application security assessment tools by both Gartner and IDC. 
> Download a free trial of AppScan today and see why more customers choose 
> AppScan then any other solution. Try it today!
>   
> https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008VnB
> --------------------------------------------------------------------------
> 
> 






-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFE7d1Q+4ZieRTShIMRAmfdAJ9t4OBl24oUSnOsdhJHfD59uMDjHACeKx3R
3i9/QHjM1PN184nEm57Y/tc=
=6S4o
-----END PGP SIGNATURE-----

----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Prev by Date: [WEB SECURITY] Problem about detecting "SMTP command injection", i.e. cr lf chars in web forms
Next by Date: [WEB SECURITY] Hacme Casino v1.0
Previous by thread: [WEB SECURITY] Problem about detecting "SMTP command injection", i.e. cr lf chars in web forms
Next by thread: [WEB SECURITY] Hacme Casino v1.0
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site