Is Your Site Sending Spam? Thousands of Volusion Sites Might Be.
If you’ve ever designed a website for a client, one of the first things they always ask for is a “contact us” form. Unfortunately, the contact form is one of the places most web developers fail on. I’m not talking about how to optimize your forms, or various sendmail programs either. I’m talking about putting an open email sender out there on the web for anybody to use.
Let’s look at a major example:
Volusion is a major player in the online shopping cart industry. According to their client gallery they host some big name sites like Crutchfield Canada and the Barack Obama Store. It’s also this client gallery that’s going to be your best tool in finding vulnerable sites.
Admirably, Volusion tries to take care of everything a webmaster could need – including a contact form. In fact, the standard installation seems to come with its own contact form. It can be found on any volusion site by going to http://www.SITENAME.com/articles.asp?ID=83 (yes, I know ID= is terrible SEO, but hey we’re not talking about SEO here)
If you want to see what I’m talking about, here’s an example on Crutchfield Canada.
If we view the source here, there’s 2 major items that stick out.
First, we see the form action:
<form name="eMail" method="post" action="emailform.asp">
And more importantly, we see the following lines of code:
<input type="submit" name="submit" value="submit">
<input type="hidden" name="email_From" value="[email protected]">
<input type="hidden" name="email_To" value="[email protected]">
<input type="hidden" name="email_Subject" value="Contact Form Submission">
<input type="hidden" name="email_ThankYou" value="Thank you for submitting your request.">
<input type="hidden" name="email_Redirect" value="">
What they’re doing here is using hidden inputs to determine the from email, to email, subject, and even the page the user sees after the email is sent. This essentially allows anybody to send any email they like.
Try it for yourself. Enter
javascript: void(document.forms[2].email_To.value="[email protected]");
‘in your address bar and hit enter, then fill out a form field and submit. You just sent email to yourself from the form.
Of course, doing this all with javascript is very inefficient. It’d be much better if I could automate a form to do this. Well, you can!
Remember that form action? It turns out, if you write your own form with the above inputs, and post it to that form – it sends the email as if it came from you.
I’m not sure if somebody’s found this vulnerability yet, but there are literally thousands of sites on the web that share it right now.
If you’re a volusion customer and don’t have access to the source code (most versions don’t come with that) the best way to fix this is to simply remove your emailform.asp file (of course, this will break your email form) Heh, I guess you could always set your form action to that of another Volusion site and send email through them too 🙂
The key lesson here is to never trust the user. Anything done on the client side (like html forms or javascript) is always vulnerable. At the very minimum here, the to email address should have been a server side variable (or hard coded into the emailform.asp.) This doesn’t protect against HTML header injection, but it’s a start. (since this form just emails the contents of the form fields, it’s also vulnerable to header injection.) You should always do some sort of server side validation against your input.
If you’re using PHP, you can learn about email form validation here. Unfortunately, I was unable to find a secure email form example in ASP using Google.
2 comments November 12th, 2007