The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Security spam hole in cgi-sys/formmail.pl re-write

Discussion in 'Security' started by andyf, Apr 7, 2003.

Thread Status:
Not open for further replies.
  1. andyf

    andyf Well-Known Member

    Joined:
    Jan 7, 2002
    Messages:
    246
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    UK
    We had a number of users complain they had spam from their own domain today, in the format of coming from the CPanel formmail.pl

    it seems someone is sending a carefully crafted request which results in an email being sent to the local domain as intended, but also a remote domain. The message recieved by the local user has:

    To: spam%address.com@localdomain.com

    I'd imagine this is a by-product of the spam being sent to the spam@address.com (the % is correct, this is how it arrives). I have checked the mail logs and the spam@address.com mail DID go out.

    So far I've been unable to find out exactly what query they used to fool the cpanel formmail into sending to that address, as it was a POST request, so nothing in the http logs.

    Can this be looked into urgently, we're currently getting a whole load of spam being sent through our machines due to this.

    Thanks.
     
  2. kensmith

    kensmith Member

    Joined:
    Dec 13, 2002
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
    I had the same thing in my logs today, from several domains, but all to one destination address on aol. Looks like someone testing for the vulnerability.

    If you don't need formmail functionality, you can do what I did.

    cd /usr/local/cpanel/cgi-sys
    chmod 700 formmail.pl
    chmod 700 FormMail.pl
    chmod 700 formmail.cgi
    chmod 700 FormMail.cgi
    chmod 700 FormMail-clone.cgi

    However, this does need the attention of Cpanel support.
    It could get ugly.
     
  3. andyf

    andyf Well-Known Member

    Joined:
    Jan 7, 2002
    Messages:
    246
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    UK
    All to an AOL address here too, must have been the same scanner.

    I've posted a bug the only way I can see is possible now - using the support form on the main website, and am awaiting a reply.

    Nick?
     
  4. SWR

    SWR Member

    Joined:
    Jul 22, 2002
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    USA
    Yep. Same here.

    So I'm subscribing to thread.
     
  5. silvernetuk

    silvernetuk Well-Known Member

    Joined:
    Sep 2, 2002
    Messages:
    311
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    United Kingdom
    Hi,

    Will these chmod change ? as I chmod a folder before and it changed back to what it was :confused:

    Regards,
    Garry
     
  6. kensmith

    kensmith Member

    Joined:
    Dec 13, 2002
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
    As long as you have the correct permissions on the file you're changing (owner of the file, or root), your chmod should work fine.

    To accomplish these, just ssh in and 'su' to become root.
     
  7. SouthernWeb

    SouthernWeb Member

    Joined:
    Nov 8, 2001
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Birmingham, AL
    Found some entries that should be close to what they are using...

    Code:
    [client 172.136.84.186] request failed: erroneous characters after protocol string: GET /cgi-bin/formmail.pl?email=f2%40aol%2Ecom&subject=www%2Egdp%2Egr%2Fcgi%2Dbin%2Fformmail%2Epl&recipient=cubbie202o%40yahoo%2Ecom&msg=w00t HTTP/1.1Content-Type: application/x-www-form-urlencoded
    
    Code:
    [client 68.118.6.97] request failed: erroneous characters after protocol string: GET /cgi-bin/formmail.pl?email=Skanned%40aol%2Ecom&subject=www%2Egdp%2Egr%2Fcgi%2Dbin%2Fformmail%2Epl&recipient=codecandrev%40yahoo%2Ecom&msg=miSledTM HTTP/1.1Content-Type: application/x-www-form-urlencoded
    
     
  8. trakwebster

    trakwebster Well-Known Member

    Joined:
    Jan 29, 2003
    Messages:
    145
    Likes Received:
    0
    Trophy Points:
    16
    Oddness ...

    Hi, guys,

    We received one of these -- odd that. We have about 30 house accounts on this server, and only one of them showed this odd email. It reads like this --

    -----------
    That particular domain has a copy of cgiemail installed but not formmail. However, this part is not clear, because that domain *does* have a link to a signup form (under another domainname) that *does* have formmail installed. I don't know what to make of that.

    Here's my question: Other than the fact that the subject and body contains the words 'formmail', how is it known that this email used the formmail program?

    I can see that exim was involved, but don't know how to determine that formmail was in fact involved, or whether these words are just misdirection.
     
  9. andyf

    andyf Well-Known Member

    Joined:
    Jan 7, 2002
    Messages:
    246
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    UK
    Re: Re: Security spam hole in cgi-sys/formmail.pl re-write

    That looks like its an original formmail.pl installed in your clients cgi-bin. The one of concern in the post I made is the CPanel re-write formmail in /cgi-sys/


     
  10. silvernetuk

    silvernetuk Well-Known Member

    Joined:
    Sep 2, 2002
    Messages:
    311
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    United Kingdom
    Hi,

    Our client sent this to us :O

    Return-path: <USERNAME@server.domain.com>
    Envelope-to: bewgrock%aol.com@CLIENTS-DOMAIN.net
    Delivery-date: Mon, 07 Apr 2003 05:45:46 +0100
    Received: from USERNAME by serv1.silverdns.com with local (Exim 3.36 #1)
    id 192OVu-0005oh-00
    for bewgrock%aol.com@CLINETS-DOMAIN.net; Mon, 07 Apr 2003 05:45:46 +0100
    To: bewgrock%aol.com@CLIENTS-DOMAIN.net
    From: webmaster@CLIENTS-DOMAIN.net
    Subject: CLIENTS-DOMIN.net/cgi-sys/formmail.pl
    Message-Id: <E192OVu-0005oh-00@server.domain.com>
    Date: Mon, 07 Apr 2003 05:45:46 +0100

    body: FormMail Test: Test 3 &recipient=user%yourdomain.com@thisdomain.com&


    There account has no formmail script or any cgi scripts

    Regards,
    Garry
     
  11. kensmith

    kensmith Member

    Joined:
    Dec 13, 2002
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
    I wasn't aware that my server had any version of formmail available either, until this occurred.

    CPanel installs one for all your domains.
    Try this:
    http://www.yourdomain.com/cgi-sys/formmail.pl

    I don't know if this is a recent addition or not.

    As often as I see exploits tried on formmail in my logs, I'm not thrilled to have it in any form or fashion.
     
  12. xsenses

    xsenses Well-Known Member

    Joined:
    Aug 29, 2002
    Messages:
    233
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Huntington Beach, Ca
    I had 2 formmail.pl & Formmail.pl in cgi-sys and just deleted them.
     
  13. web12

    web12 Well-Known Member

    Joined:
    Nov 20, 2002
    Messages:
    240
    Likes Received:
    0
    Trophy Points:
    16
    Yep, we got this reported to us today also.

    Looks like it might be a heads up to some hacker. Subscribing to this thread also...
     
  14. fmalekpour

    fmalekpour Well-Known Member
    PartnerNOC

    Joined:
    Dec 4, 2002
    Messages:
    85
    Likes Received:
    0
    Trophy Points:
    6
  15. fmalekpour

    fmalekpour Well-Known Member
    PartnerNOC

    Joined:
    Dec 4, 2002
    Messages:
    85
    Likes Received:
    0
    Trophy Points:
    6

    Forget it, does not work. Just delete them or change the permission.
     
  16. andyf

    andyf Well-Known Member

    Joined:
    Jan 7, 2002
    Messages:
    246
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    UK
    The CPanel version is a clean room rewrite of the original formmail, because of licensing issues. By replacing it you're probably breaking a bunch of licensing rules on the original.

    This needs to be addressed by the CPanel team.
     
  17. fmalekpour

    fmalekpour Well-Known Member
    PartnerNOC

    Joined:
    Dec 4, 2002
    Messages:
    85
    Likes Received:
    0
    Trophy Points:
    6
    Yes you right. That's why we just rename all of them and remove the execute permission.
    Thanks for your note.
     
  18. canebraska

    canebraska Registered

    Joined:
    Apr 7, 2003
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Nebraska
    bewgrock%aol.com back at it.

    The AOL user bewgrock%aol.com is back at it again. I just got a returned mail because his mailbox was full. I had support lock out the script.
    I also alerted the AOL administration. Not that they'll do anything about it.
     
  19. silvernetuk

    silvernetuk Well-Known Member

    Joined:
    Sep 2, 2002
    Messages:
    311
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    United Kingdom
    Hi,

    How do u rename a file in ssh ?

    Regards,
    Garry
     
  20. Marty

    Marty Well-Known Member

    Joined:
    Oct 10, 2001
    Messages:
    630
    Likes Received:
    1
    Trophy Points:
    18
    To rename a file you move it:

    mv formail.cgi insecure.cgi
     
Loading...
Thread Status:
Not open for further replies.

Share This Page