[prev in list] [next in list] [prev in thread] [next in thread] 

List:       webappsec
Subject:    Problem about detecting "SMTP command injection", i.e. cr lf chars in web forms
From:       "Maxime Ducharme" <mducharme () cybergeneration ! com>
Date:       2006-08-24 15:17:11
Message-ID: 20060824151232.2319.qmail () mail ! securityfocus ! com
[Download RAW message or body]


Hello guys,
	I am looking for a solution to detect attacks
to web forms which allows to send an email.

Example :
contactus.asp which contains these fields :

- From Name
- From email
- Subject
- text

We noticed that some programs used to send email does
not properly filter the 3 first fields for carriage-return and
line-feed chars, which allows someone to add SMTP commands
in these fileds and constuct a valid SMTP session which
this person can control.

We are currently working at filtering these fileds in the applications
code, but we host many sites we do not manage.

I am looking for a way to detect these attacks with snort, is
someone aware of a rule for this kind of attack, or may help me wrtiing one
?

Any other idea/suggestion is also welcome

Thanks in advance

Have a nice day
 
Maxime Ducharme



-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire was recently named the worldwide market leader in Web 
application security assessment tools by both Gartner and IDC. 
Download a free trial of AppScan today and see why more customers choose 
AppScan then any other solution. Try it today!
  
https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008VnB
--------------------------------------------------------------------------

[prev in list] [next in list] [prev in thread] [next in thread]