Re: SPAM attempts through WebDNA (Was Serious WebDNA Issue)

This WebDNA talk-list message is from

2006

It keeps the original formatting. numero = 68179
interpreted = N
texte = Read this article for more info on this.Malicious Code Injection: It's Not Just For SQL Anymorehttp://www.lockergnome.com/nexus/web?cat=3D57The only real way to defend against all malicious code injectionattacks is to validate every input from every user. While establishinga list of "bad" input values that should be blocked (a blacklist) mayseem like an appropriate first step, this approach is extremelylimited. A finite list of problems simply gives hackers theopportunity to discover ways around your list. There is simply no wayto make sure that you are covering every possibility with yourblacklist, so you are still leaving the application vulnerable tomalicious code injections.The correct way to validate input is to start instead with a whitelist- a list of allowable options. For example, a whitelist may allowusernames that fit within specific parameters - only eight characterslong with no punctuation or symbols, and so on. This can reduce thesurface area of a malicious code injection attack by specifying theproper format for the input into the field. The application can thenreject input that does not fit the established format. This approach(unlike a blacklist) can prevent not only known, current attacks butalso unknown, future attacks.To be completely thorough, a developer should set up both white- andblacklists in order to cover all bases. In this way, the whitelist canbe used to block the majority of attacks, while the blacklist cancover specific edge cases not handled by the whitelist. To protectagainst SQL injection, a whitelist could allow only alphanumericinput, while a "backup" blacklist could specifically disallow commonSQL verbs like SELECT and UPDATE.Sal D'AnnaOn 11/21/06, Mark Derrick wrote:> Doing some more research on this, I've tracked down the request that sent= this> data to my site.> It was POSTed directly to my search results page using expected variables= -> full details shown below.> It sent it's SPAM message in the Cart field, and then sent> "a5042%40popxpress.com" as the value for the remainder of the fields that> should have been present - although several were actually missing.>> The effect of this was that the SPAM content of this request then appeare=d to> have been cached by WebDNA and was displayed several times in place of an> [Include] file - throwing this up on pages displayed to customers on a to=tally> different WebDNA site running on the same server - this continued until t=he> server was restarted.>> Two questions> (1) How can I block this happening witgh a Mod Rewrite?> (2) Why is WebDNA caching this data?>> I understand that they're hoping my server will send this message out whe=n it> processes the request, but I'm confused to the reasons for replacing the =rest> of the variable values with "a5042%40popxpress.com", what is this suppose=d to> achieve?>> http://www.popxpress.com/> /result.tpl> cart=3Dbiotics%0D%0AContent-Type%3A+multipart%2Falternative%3B+%0A+++++++=+++++++boundary%3Dc286c15078fef19919450df6f8510b92%0AX-Mailer%3A+GoldMine+%=5B5.50.10111%5D%0ASubject%3A+can+be%0Acc%3A+homejspoljar%40aol.com%0Acc%3A+=ca23comerww%40aol.com%0Acc%3A+lostsurfer4life%40aol.com%0Acc%3A+fkuntz7575%=40aol.com%0Acc%3A+doggybone174%40aol.com%0Acc%3A+sweetjlf%40aol.com%0Acc%3A=+ringoent%40aol.com%0Acc%3A+snowmeow98%40aol.com%0Acc%3A+topcopl2%40aol.com=%0Acc%3A+dcpsychomunky%40aol.com%0Acc%3A+felix1484860273%40aol.com%0A%0A--c=286c15078fef19919450df6f8510b92%0AContent-Transfer-Encoding%3A+7bit%0AConte=nt-Type%3A+text%2Fplain%0A%0Anot+come+from+surface+contact.+n+fact%0A%0A--c=286c15078fef19919450df6f8510b92%0AContent-Transfer-Encoding%3A+8bit%0AConte=nt-Type%3A+text%2Fplain%0A%0Aa+gammon+joint.+ashers+of+bacon+are+a+main+con=stituent+of+the+traditional+%0Arish+breakfast%2C+along+with+sausages.+lthou=gh+ritain+has+a+large+pork+and+%0Abacon+industry%2C+much+of+the+bacon+consu=med+in+ritain+is+produced+in+enmark%2C+%0Aand+marketed+as+anish+bacon+%28th=e+word+anish+is+stamped+on%0A%0A--c286c15078fef19919450df6f8510b92--%0A.%0A=&startat=3Da5042%40popxpress.com&max=3Da5042%40popxpress.com&Submit=3Da5042=%40popxpress.com&wagroup1data=3Da5042%40popxpress.com&link=3Da5042%40popxpr=ess.com&SortOrder=3Da5042%40popxpress.com&listing=3Da5042%40popxpress.com&a=llreqd=3Da5042%40popxpress.com&group1field=3Da5042%40popxpress.com = REFERER=3Dhttp%3A//www.popxpress.com/&HOST=3Dwww.popxpress.com&CONTENT=-TYPE=3Dapplication/x-www-form-urlencoded&CONNECTION=3DKeep-Alive&CONTENT-L=ENGTH=3D1394&CONNECTION=3Dclose&>>> On Tue, 21 Nov 2006 10:18:26 +0000> Mark Derrick wrote:> > I seem to be having a very similar problem, but with a slight twist> >> > Last night, the following text was served in the place of an included =txt> >file.> >> > : sweetjlf@aol.comcc: ringoent@aol.comcc: snowmeow98@aol.comcc:> > topcopl2@aol.comcc: dcpsychomunky@aol.comcc: felix1484860273@aol.com--> >c286c15078fef19919450df6f8510b92Content-Transfer-Encoding: 7bitContent-=Type:> >text/plainnot come from surface contact. n fact--> >c286c15078fef19919450df6f8510b92Content-Transfer-Encoding: 8bitContent-=Type:> >text/plaina gammon joint. ashers of bacon are a main constituent of the> >traditional rish breakfast, along with sausages. lthough ritain has a l=arge> >pork and bacon industry, much of the bacon consumed in ritain is produc=ed in> >enmark, and marketed as anish bacon (the word anish is stamped on--> >c286c15078fef19919450df6f8510b92--.> >> > The rest of the page was fine, but where [INCLUDE file=3D^includes/> >sample.txt] was supposed to go, this text appeared instead.> >> > The text file which should have been included has not changed at all, =and> >is now appearing correctly.> > Because of this, I cannot see any reason why the above text was displa=yed.> >> > It's obviously someone trying to send Spam through our server - but wh=y it> >has appeared within a page is seriously worrying me.> > Is WebDNA caching this data and somehow then using it when calling an> > [include] to build a page?> >> > Generally people can try to send spam through my server all they want,> >because I know the server is well protected against such behaviour - bu=t> >after seeing text like this appearing within my pages, I'm now starting= to> >seriously worry about WebDNA's security.> >> >> > Thanks for any help you can offer.> >> > Mark.> >> > -------------------------------------------------------------> > This message is sent to you because you are subscribed to> > the mailing list .> > To unsubscribe, E-mail to: > > To switch to the DIGEST mode, E-mail to> >> > Web Archive of this list is at: http://webdna.smithmicro.com/>>> -------------------------------------------------------------> This message is sent to you because you are subscribed to> the mailing list .> To unsubscribe, E-mail to: > To switch to the DIGEST mode, E-mail to > Web Archive of this list is at: http://webdna.smithmicro.com/>-------------------------------------------------------------This message is sent to you because you are subscribed to the mailing list .To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/ Associated Messages, from the most recent to the oldest:

Re: SPAM attempts through WebDNA (Was Serious WebDNA Issue) ( Mark Derrick 2006)
Re: SPAM attempts through WebDNA (Was Serious WebDNA Issue) ( "sal danna" 2006)
SPAM attempts through WebDNA (Was Serious WebDNA Issue) ( "Mark Derrick" 2006)

Read this article for more info on this.Malicious Code Injection: It's Not Just For SQL Anymorehttp://www.lockergnome.com/nexus/web?cat=3D57The only real way to defend against all malicious code injectionattacks is to validate every input from every user. While establishinga list of "bad" input values that should be blocked (a blacklist) mayseem like an appropriate first step, this approach is extremelylimited. A finite list of problems simply gives hackers theopportunity to discover ways around your list. There is simply no wayto make sure that you are covering every possibility with yourblacklist, so you are still leaving the application vulnerable tomalicious code injections.The correct way to validate input is to start instead with a whitelist- a list of allowable options. For example, a whitelist may allowusernames that fit within specific parameters - only eight characterslong with no punctuation or symbols, and so on. This can reduce thesurface area of a malicious code injection attack by specifying theproper format for the input into the field. The application can thenreject input that does not fit the established format. This approach(unlike a blacklist) can prevent not only known, current attacks butalso unknown, future attacks.To be completely thorough, a developer should set up both white- andblacklists in order to cover all bases. In this way, the whitelist canbe used to block the majority of attacks, while the blacklist cancover specific edge cases not handled by the whitelist. To protectagainst SQL injection, a whitelist could allow only alphanumericinput, while a "backup" blacklist could specifically disallow commonSQL verbs like SELECT and UPDATE.Sal D'AnnaOn 11/21/06, Mark Derrick wrote:> Doing some more research on this, I've tracked down the request that sent= this> data to my site.> It was POSTed directly to my search results page using expected variables= -> full details shown below.> It sent it's SPAM message in the Cart field, and then sent> "a5042%40popxpress.com" as the value for the remainder of the fields that> should have been present - although several were actually missing.>> The effect of this was that the SPAM content of this request then appeare=d to> have been cached by WebDNA and was displayed several times in place of an> [include] file - throwing this up on pages displayed to customers on a to=tally> different WebDNA site running on the same server - this continued until t=he> server was restarted.>> Two questions> (1) How can I block this happening witgh a Mod Rewrite?> (2) Why is WebDNA caching this data?>> I understand that they're hoping my server will send this message out whe=n it> processes the request, but I'm confused to the reasons for replacing the =rest> of the variable values with "a5042%40popxpress.com", what is this suppose=d to> achieve?>> http://www.popxpress.com/> /result.tpl> cart=3Dbiotics%0D%0AContent-Type%3A+multipart%2Falternative%3B+%0A+++++++=+++++++boundary%3Dc286c15078fef19919450df6f8510b92%0AX-Mailer%3A+GoldMine+%=5B5.50.10111%5D%0ASubject%3A+can+be%0Acc%3A+homejspoljar%40aol.com%0Acc%3A+=ca23comerww%40aol.com%0Acc%3A+lostsurfer4life%40aol.com%0Acc%3A+fkuntz7575%=40aol.com%0Acc%3A+doggybone174%40aol.com%0Acc%3A+sweetjlf%40aol.com%0Acc%3A=+ringoent%40aol.com%0Acc%3A+snowmeow98%40aol.com%0Acc%3A+topcopl2%40aol.com=%0Acc%3A+dcpsychomunky%40aol.com%0Acc%3A+felix1484860273%40aol.com%0A%0A--c=286c15078fef19919450df6f8510b92%0AContent-Transfer-Encoding%3A+7bit%0AConte=nt-Type%3A+text%2Fplain%0A%0Anot+come+from+surface+contact.+n+fact%0A%0A--c=286c15078fef19919450df6f8510b92%0AContent-Transfer-Encoding%3A+8bit%0AConte=nt-Type%3A+text%2Fplain%0A%0Aa+gammon+joint.+ashers+of+bacon+are+a+main+con=stituent+of+the+traditional+%0Arish+breakfast%2C+along+with+sausages.+lthou=gh+ritain+has+a+large+pork+and+%0Abacon+industry%2C+much+of+the+bacon+consu=med+in+ritain+is+produced+in+enmark%2C+%0Aand+marketed+as+anish+bacon+%28th=e+word+anish+is+stamped+on%0A%0A--c286c15078fef19919450df6f8510b92--%0A.%0A=&startat=3Da5042%40popxpress.com&max=3Da5042%40popxpress.com&Submit=3Da5042=%40popxpress.com&wagroup1data=3Da5042%40popxpress.com&link=3Da5042%40popxpr=ess.com&SortOrder=3Da5042%40popxpress.com&listing=3Da5042%40popxpress.com&a=llreqd=3Da5042%40popxpress.com&group1field=3Da5042%40popxpress.com = REFERER=3Dhttp%3A//www.popxpress.com/&HOST=3Dwww.popxpress.com&CONTENT=-TYPE=3Dapplication/x-www-form-urlencoded&CONNECTION=3DKeep-Alive&CONTENT-L=ENGTH=3D1394&CONNECTION=3Dclose&>>> On Tue, 21 Nov 2006 10:18:26 +0000> Mark Derrick wrote:> > I seem to be having a very similar problem, but with a slight twist> >> > Last night, the following text was served in the place of an included =txt> >file.> >> > : sweetjlf@aol.comcc: ringoent@aol.comcc: snowmeow98@aol.comcc:> > topcopl2@aol.comcc: dcpsychomunky@aol.comcc: felix1484860273@aol.com--> >c286c15078fef19919450df6f8510b92Content-Transfer-Encoding: 7bitContent-=Type:> >text/plainnot come from surface contact. n fact--> >c286c15078fef19919450df6f8510b92Content-Transfer-Encoding: 8bitContent-=Type:> >text/plaina gammon joint. ashers of bacon are a main constituent of the> >traditional rish breakfast, along with sausages. lthough ritain has a l=arge> >pork and bacon industry, much of the bacon consumed in ritain is produc=ed in> >enmark, and marketed as anish bacon (the word anish is stamped on--> >c286c15078fef19919450df6f8510b92--.> >> > The rest of the page was fine, but where [INCLUDE file=3D^includes/> >sample.txt] was supposed to go, this text appeared instead.> >> > The text file which should have been included has not changed at all, =and> >is now appearing correctly.> > Because of this, I cannot see any reason why the above text was displa=yed.> >> > It's obviously someone trying to send Spam through our server - but wh=y it> >has appeared within a page is seriously worrying me.> > Is WebDNA caching this data and somehow then using it when calling an> > [include] to build a page?> >> > Generally people can try to send spam through my server all they want,> >because I know the server is well protected against such behaviour - bu=t> >after seeing text like this appearing within my pages, I'm now starting= to> >seriously worry about WebDNA's security.> >> >> > Thanks for any help you can offer.> >> > Mark.> >> > -------------------------------------------------------------> > This message is sent to you because you are subscribed to> > the mailing list .> > To unsubscribe, E-mail to: > > To switch to the DIGEST mode, E-mail to> >> > Web Archive of this list is at: http://webdna.smithmicro.com/>>> -------------------------------------------------------------> This message is sent to you because you are subscribed to> the mailing list .> To unsubscribe, E-mail to: > To switch to the DIGEST mode, E-mail to > Web Archive of this list is at: http://webdna.smithmicro.com/>-------------------------------------------------------------This message is sent to you because you are subscribed to the mailing list .To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/ "sal danna"

DOWNLOAD WEBDNA NOW!

Re: SPAM attempts through WebDNA (Was Serious WebDNA Issue)

2006

Top Articles:

Related Readings: