legitimate users when the allowed login retry limit is exceeded. Other

real world examples are described below.

Matt Wright FormMail

The PERL based web application "FormMail" was normally used to

transmit user supplied form data to a preprogrammed e mail address.

The script offered an easy to use solution for web site's to gather

feedback.  For this reason, the FormMail script was one of the most

popular CGI programs on line.  Unfortunately, this same high degree

of utility and ease of use was abused by remote attackers to send e 

mail to any remote recipient.  In short, this web application was

transformed into a spam relay engine with a single browser web

request.

An attacker merely has to craft an URL that supplied the desired e 

mail parameters and perform an HTTP GET to the CGI, such as:

http://example/cgi bin/FormMail.pl?

 recipient=

email@victim.example&message= you%20got%20spam

An email would be dutifully generated, with the web server acting as

the sender, allowing the attacker to be fully proxied by the web 

application. Since no security mechanisms existed for this version of

the script, the only viable defensive measure was to rewrite the script

with a hard coded e mail address.  Barring that, site operates were

forced to remove or replace the web application entirely.

Macromedia s Cold Fusion

Sometimes basic administrative tools are embedded within web

applications that can be easily used for unintended purposes.  For

example, Macromedia s Cold Fusion by default has a built in module

for viewing source code that is universally accessible.  Abuse of this

module can result in critical web application information leakage.

Often these types of modules are not sample files or extraneous

functions, but critical system components.  This makes disabling

56

Copyright 2004, Web Application Security Consortium. All rights reserved.