SQL attack on a formmail

6 views
Skip to first unread message

The Doctor

unread,
Dec 10, 2021, 12:18:00 PM12/10/21
to
All right. a formmail form was attacked by a Russian
hacker on Monday using some SQL script.

Anyone seen this before?
--
Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca
Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising!
Look at Psalms 14 and 53 on Atheism https://www.empire.kred/ROOTNK?t=94a1f39b
Merry Christmas 2021 and Happy New Year 2022 Beware https://mindspring.com

Grant Taylor

unread,
Dec 10, 2021, 12:34:40 PM12/10/21
to
On 12/10/21 10:17 AM, The Doctor wrote:
> a formmail form was attacked by hacker on Monday using some SQL script.

What /precisely/ is formmail in this context?

I ask because I've seen a number of things called "formmail" over
decades, with wildly different capabilities and defenses.

> Anyone seen this before?
Yes. I've seen many ... problems ... with various formmail
implementations over the years. Many of the ones that I looked at in
the '00s were -- IMHO -- rooted in formmail trying to be a generic form
handler to send email. The generic nature of it's attempt to be a
simple target to post form content to as a handler made it more than a
little vulnerable. Especially considering that clients could see just
about any if not all protection mechanisms in the page that used formail
as a form action.

I generally avoided such generic formmmail things for that reason and
tended to write specific implementations that hard coded some aspects
(like the target email address) which made it a LOT harder to exploit.

Aside: I'm not quite sure how SQL fits into this overall discussion.
Maybe the version of formmail that you're dealing with uses SQL as a
backend for something. Maybe someone exploited an SQL server and
induced it to do something it shouldn't. There's a LOT of room for
interpretation.



--
Grant. . . .
unix || die
Reply all
Reply to author
Forward
0 new messages