Spammers Hijack Again!
If you're using either of the Master Subscriber scripts,
read on.
If you use any forms that send email, know that there are
many, many software titles, probably hundreds, with the
vulnerability described in "Web Page Form Anti-Hijacking
Considerations" found at /hijack1 and
in "How Spammers Hijack Your Forms" found at
/hijack2
Based on the reports we have received this week, there is a
rash of Master Subscriber form hijackings going on even as
we speak. This article will show you how to replace those
scripts (which we no longer distribute) with other scripts
that have anti-hijacking code built in.
NOTE: Should your form be hijacked, the first thing to do
is to rename the form handling script to something
without .cgi or .pl file name extension and give the
script 666 permissions. That should stop the hijacking
in its tracks. Then, take a deep breath, and see what
you can do about replacing or updating the script.
Replacing a Subscribe/Unsubscribe Form
The subscribe/unsubscribe form of Master Subscriber Lite
and Master Subscriber Pro can be replaced and handled by
Master Feedback, Master Form V3, or Master Form V4.
The "Subscribe/Unsubscribe Form" example (4th example on
the page) at /mfv4demos will work
for both Master Form... titles.
Using Master Feedback (no charge to download and use) to
process a subscribe/unsubscribe form requires a separate
installation for each address the form submission can be
sent to. You'll probably have a subscribe email address
and an unsubscribe email address.
JavaScript is used to determine which Master Feedback
installation the form contents shall be sent to. Download
an example with the link in the "Useful Reading" section,
on the Master Feedback description page. See below for URL.
Replacing a Multiple Ezine Subscription Form
Master Subscriber Pro's multiple ezine subscription form
can be replaced and handled by Master Form V3 or Master
Form V4.
The "Multiple Ezine Subscription Form" example (5th example
on the page) at /mfv4demos will work
for both Master Form... titles.
Using the Latest Versions
Verify have installed the latest versions of the software
you decide to use. Early versions of Master Feedback and
Master Form... do not have the anti-hijacking code that
the latest versions do.
The latest version of Master Feedback is version 2.75
of
July 30, 2005 (some identifying header lines were added a
with the most recent upgrade). If you're using an earlier
version, please download and install the latest from
/msmf
The latest version of Master Form V3 is version 3.5n of
March 3, 2005. Master Form V3 is no longer being sold.
However, license holders may generate the latest version
for their domain. A link to the generator can be found at
/mfv3o
The latest version of Master Form V4 is version 4.0e of
April 23, 2005. Links to generate the latest version and
to purchase new licenses are at /mfv4
Not Just Happening To Others
Stealing spammers are scum. They will subvert your email
delivery software when they find the opportunity to do so,
with no twinge of regret that your server and IP address
can be blacklisted as a result.
You don't have to use the scripts we recommend above. But
do verify that what you're using now can't be exploited.
It's better to take care of it now. It can save lots of
hand-wringing and headaches.
How do you know if your scripts are vulnerable? The
/hijack1 article tells how the exploit
is done. Try it on your forms. If you don't know how and
want to hire me to have a look, use the "contact" link on
the page with the article.
The article contains a line of code that can block the
exploit. Use it to fix vulnerable scripts on your server
that you are unable to just replace.
Eventually, spammers will find every vulnerable script
out there. Depend on it. (Spiders can find forms and test
for vulnerability, automatically.)
Question:
Did you find this article interesting and understandable? How can it be improved?
Your response is anonymous.
When done typing, click anywhere outside the box. [more info]
Will Bontrager
©2005 Bontrager Connection, LLC
Please note:
Articles on this website are presented "as is". However -
If you have a question about a CGI script, HTML, CSS, PHP, or JavaScript
Ask one of our Experts and you'll have your answer!
Click here for details.
