About Links Archives Search Feed Albums of Note


Email Injection Attacks

We’ve recently had a spate of attacks on our live websites from zombie PCs trying to inject email headers into the page’s viewstate. At our end, the resultant error comes back as a System.Web.HttpUnhandledException : Invalid Viewstate along with a dump of Viewstate that looks remarkably like a Multi-part MIME email message but contains invalid Base64 characters.

ViewState: Content-Type: multipart/mixed; boundary=“===============0113959725==” MIME-Version: 1.0 Subject: 1d2fb280 To: bcc: From: This is a multi-part message in MIME format.

–=============0113959725

Content-Type: text/plain; charset=“us-ascii”

MIME-Version: 1.0

Content-Transfer-Encoding: 7bit

vzljo

–=============0113959725–

According to this article, this attack [http://www.anders.com/cms/75/Crack.Attempt/Spam.Relay] is more subtle than you think, but easy to thwart. If you’re using .NET, it seems to be caught by default, but if you’re a PHPuser, you need to make sure to strip the line returns and new line characters from the form fields in your scripts. The thing that bothers me is that these attacks keep occurring from time to time implying that new people keep getting infected with it. But the same handful of email addresses are always in the BCC field. Couldn’t Microsoft or someone in the .NET world have issued some sort of advisory about this new kind of injection attack back in July when it seemed to begin? If they did, can someone point it out?

Posted on September 5, 2005   #Geek Stuff  






← Next post    ·    Previous post →