If you’ve ever designed a website for a client, one of the first things they always ask for is a “contact us” form. Unfortunately, the contact form is one of the places most web developers fail on. I’m not talking about how to optimize your forms, or various sendmail programs either. I’m talking about putting an open email sender out there on the web for anybody to use.
Let’s look at a major example:
Volusion is a major player in the online shopping cart industry. According to their client gallery they host some big name sites like Crutchfield Canada and the Barack Obama Store. It’s also this client gallery that’s going to be your best tool in finding vulnerable sites.
Admirably, Volusion tries to take care of everything a webmaster could need – including a contact form. In fact, the standard installation seems to come with its own contact form. It can be found on any volusion site by going to http://www.SITENAME.com/articles.asp?ID=83 (yes, I know ID= is terrible SEO, but hey we’re not talking about SEO here)
If you want to see what I’m talking about, here’s an example on Crutchfield Canada.
If we view the source here, there’s 2 major items that stick out.
First, we see the form action:
<form name="eMail" method="post" action="emailform.asp">
And more importantly, we see the following lines of code:
<input type="submit" name="submit" value="submit">
<input type="hidden" name="email_From" value="[email protected]">
<input type="hidden" name="email_To" value="[email protected]">
<input type="hidden" name="email_Subject" value="Contact Form Submission">
<input type="hidden" name="email_ThankYou" value="Thank you for submitting your request.">
<input type="hidden" name="email_Redirect" value="">
What they’re doing here is using hidden inputs to determine the from email, to email, subject, and even the page the user sees after the email is sent. This essentially allows anybody to send any email they like.
Try it for yourself. Enter
javascript: void(document.forms[2].email_To.value="[email protected]");
‘in your address bar and hit enter, then fill out a form field and submit. You just sent email to yourself from the form.
Of course, doing this all with javascript is very inefficient. It’d be much better if I could automate a form to do this. Well, you can!
Remember that form action? It turns out, if you write your own form with the above inputs, and post it to that form – it sends the email as if it came from you.
I’m not sure if somebody’s found this vulnerability yet, but there are literally thousands of sites on the web that share it right now.
If you’re a volusion customer and don’t have access to the source code (most versions don’t come with that) the best way to fix this is to simply remove your emailform.asp file (of course, this will break your email form) Heh, I guess you could always set your form action to that of another Volusion site and send email through them too 🙂
The key lesson here is to never trust the user. Anything done on the client side (like html forms or javascript) is always vulnerable. At the very minimum here, the to email address should have been a server side variable (or hard coded into the emailform.asp.) This doesn’t protect against HTML header injection, but it’s a start. (since this form just emails the contents of the form fields, it’s also vulnerable to header injection.) You should always do some sort of server side validation against your input.
If you’re using PHP, you can learn about email form validation here. Unfortunately, I was unable to find a secure email form example in ASP using Google.
In version 5 of Volusion eCommerce software there is a required new field for sending emails through a form post. The new required field is an image verification code. This method of verification is also known as CAPTCHA and is widely accepted throughout the world wide web as an acceptable spam preventing mechanism. Such sites that have adopted this method are google and hotmail (maybe some more here). There is also a speaker icon for those who have trouble reading the scrambled images.
As well as this layer of security there is a limit of five emails per day per IP address. Since the form is still open to a single person changing the input fields to what they wish, this will prevent them from sending very many “malicious” emails. For the sake of functionality, usablity, and customizability, the method we use is required.
There is also a third layer, behind the scenes, in our email server that limits the number of emails that are sent. We also monitor this limit and if people are unexpectedly reaching their limits we take appropriate action.
Comment by Michelle Greer — November 12, 2007 @ 2:14 pm
Thanks for your post Michelle. While it’s not the preferred method I’d take, it does provide a little bit of help.
The proper solution is to store the recipient email on the server side, as well as provide validation. From what I can gather without looking at the code (I’m not a volusion client), it’s simply taking whatever is in that field and sending the mail – thus still wide open for HTML header injection.
Of course, I haven’t tried it.. so you might be doing some validation. I’m not sure.
I’m at least glad to see you’re taking some steps in the right direction. I’m sorry I singled your sites out, as there are tons of other vulnerable sites out there, it’s just that yours were the easiest to demonstrate on because of the consistent naming.
–Ryan
Comment by Ryan — November 12, 2007 @ 3:53 pm