[triangle-zpug] zp hacked by spambot

Stephan Altmueller stephan_altmueller at unc.edu
Fri Mar 30 13:38:15 UTC 2007


Hi Frank,

I don't fully understand how the bcc field could be inserted, it's not 
used in any of the
code below (unless the "zm_sendMail" script/function reads it from the 
request object).

If this is a basic "Script (Python)" script then the fundamental problem 
is that it uses
unvalidated request parameters. You could replace it with a form 
controller script (.cpy)
and add a validation (.vpy) script via the metadata that validtes all 
parameters.

       - Stephan

Dimauro, Frank wrote:
> One of our python scripts that was sitting in our custom skins folder
> (developed by Cignex to serve as the basis script that handles our email
> forms) was exploited by a spammer and caused a whole mess of spam to be
> generated from our Exchange email server. The script was not in use but
> "someone somehow" knew it was there and exploited it. Here it is below.
> We have since turned off smtp port 25 on the server and our email forms
> are dormant. Can anyone suggest a fix that will prevent future hijack?
> The spammer added a bcc: field to the form and bcc'd the spam to
> thousands. The giveaway was the MIME header on one of the relayed emails
> that listed the email l_mail_to
> ='mohammad_ismail at akebonosoft.com'...ismail was a cignex contract
> employee who was one of the original developers of our site...
>
> Frank DiMauro
>
> "Our Age of Anxiety is, in great part, the result of trying to do
> today's jobs with yesterday's tools."
> -M.McLuhan
>
> #######################################################################
> ## Script (Python) "zp_contactus"
> ##bind container=container
> ##bind context=context
> ##bind namespace=
> ##bind script=script
> ##bind subpath=traverse_subpath
> ##parameters=
> ##title=
> ##
> #
> ------------------------------------------------------------------------
> ------------------------
> #  Name:  zp_contactus
> #
> #  Purpose : Sends contact information 
> #
> #  Mandatory REQUEST parameters: None
> #
> #  Optional REQUEST parameters: None
> #
> #  Development History: 
> #   Date          Author     Description
> #   -----------   -------    --------------
> #   04/24/2004    CIGNEX     Created
> #
> ------------------------------------------------------------------------
> ------------------------
>
> request = container.REQUEST
> RESPONSE =  request.RESPONSE
>
> # Determine - whom to send the mail
> l_mail_to ='mohammad_ismail at akebonosoft.com'
> l_email=request.get('email')
>
>
> # Form the mail subject
> l_mail_subject = "UNCH - Contact Us form"
>
> # Form the mail body
> l_body = '\n'
> l_body = l_body + 'Name = ' + request.get('name') + '\n'
> l_body = l_body + 'Address = ' + request.get('address') + '\n'
> l_body = l_body + 'Phone Number = ' + request.get('phone') + '\n'
> l_body = l_body + 'Email = ' + request.get('email') + '\n'
> l_body = l_body + 'Comments = ' + request.get('comments') + '\n'
>
> # Result page Object
> l_resultPage = container['zpt_confirmation']
>
> # send form in email
> context.zm_sendMail(context,
>            mail_from=l_email,
>            mail_to=l_mail_to,
>            mail_subject=l_mail_subject,
>            mail_body=l_body)
>
> # show result page
> url = 'http' + context.absolute_url()[4:]
>
> target= '%s/%s?p_message=%s&p_heading=%s' % (url, 'l_resultPage',
>         'We will go through your feedback and get back to you soon.', 
>         'Thanks for contacting us')
>
> return context.REQUEST.RESPONSE.redirect(target)
>
>
>
> _______________________________________________
> triangle-zpug mailing list
> triangle-zpug at starship.python.net
> http://starship.python.net/mailman/listinfo/triangle-zpug
>   


-- 
--------------------------------------------------------
Stephan Altmueller 
Applications Analyst
OASIS - Office of Arts and Sciences Information Services
University of North Carolina at Chapel Hill  
Phone: 919-962-4205
Email: stephan_altmueller at unc.edu




More information about the triangle-zpug mailing list