The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

Download 5,76 Mb.

1 ... 560 561 562 563 564 565 566 567 ... 875

Bog'liq
3794 1008 4334

Injecting into SMTP

Many applications contain a facility for users to submit messages via the appli-

cation; for example, to report a problem to support personnel or provide feed-

back about the web site. This facility is usually implemented by interfacing with

a mail (or SMTP) server. Typically, user-supplied input will be inserted into the

70779c09.qxd:WileyRed 9/14/07 3:13 PM Page 321

SMTP conversation that the application server conducts with the mail server. If

an attacker can submit suitable crafted input that is not filtered or sanitized, he

may be able to inject arbitrary STMP commands into this conversation.

In most cases, the application will enable you to specify the contents of the

message and your own email address (which is inserted into the From field of

the resulting email). You may also be able to specify the subject of the message

and other details. Any relevant field that you control may be vulnerable to

SMTP injection.

SMTP injection vulnerabilities are often exploited by spammers who scan

the Internet for vulnerable mail forms and use these to generate large volumes

of nuisance email.

Download 5,76 Mb.

Do'stlaringiz bilan baham:

1 ... 560 561 562 563 564 565 566 567 ... 875