Re: novice with hacked email form issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, February 21, 2006 12:19 pm, cKc Consultants wrote:
> An email form that uses a simple server side php code to send the
> variable
> values managed to send:

Here is a stripped-down version of what happened:

YOUR BAD CODE:

<?php if (isset($email)){
  //This next line blindly embeds the user input "$email"
  //into the headers of an email message.
  //This pretty much turns your server into a spam-factory.
  //Don't do that!
  mail('ckccnslt@xxxxxxxxxxxxxxxxxx', "From Web", $message, "From:
$email");
} ?>
<form action="hackable.php" method="post">
Your Email: <input name="email"><br />
Your Message: <textarea name="message" wrap="virtual" cols="20"
rows="10"></textarea><br />
<input type="submit" name="hack_me" value="send us email">
</form>


Here is a crude script specifically crafted to abuse the above page.
You can assume the spammers are a bit more sophisticated than this.
<?php
  $hack_data = "Content-Type: multipart/alternate;\r\n...";
  $post_vars = "email=$hack_data&message=&hack_me=send+us+email";
  $data_len = strlen($post_vars);
  $socket = fsockopen("http://example.com";, 80);
  fwrite($socket, "POST /hackable.php HTTP/1.0\n");
  fwrite($socket, "Host: example.com\n");
  fwrite($socket, "Content-length: $data_len\n");
  fwrite($socket, $post_vars);
?>


> Content-Type: multipart/alternative;
>> boundary=5c7c7e682d991e8ec1f6825582ea2103
>> MIME-Version: 1.0
>> Subject: round a rock by way of anchorage
>> bcc: charieses329@xxxxxxx
>>
>> This is a multi-part message in MIME format.
>>
>> --5c7c7e682d991e8ec1f6825582ea2103
>> Content-Type: text/plain; charset=\"us-ascii\"
>> MIME-Version: 1.0
>> Content-Transfer-Encoding: 7bit
>>
>> system expict th time is
>> --5c7c7e682d991e8ec1f6825582ea2103--
>>
>
> This appears between responses to "$msg.=" and shouldn't be something
> the
> user could see. In order to figure out how to prevent this, I need to
> know
> how it was done. I know I need to validate the email address more
> closely,
> but I'm curious as to what created this. I've found some interesting
> articles on the web, but nothing seems to deal with this issue.
> Pointing me
> in the right direction would be appreciated!

Having the above kind of junk in the message body itself is not really
a huge huge problem -- And it's almost impossible to avoid it without
crippling the legitimate input for a message BODY.

Buuuuuuuuuuuuuuuuuuuuuuut:

An email address, which you are splicing into the HEADERS as the
fourth argument to PHP's http://php.net/mail function should *NOT*
have any kind of crap like this in it.

In fact, if an email contains a newline, you can pretty much assume
the user is a spammer trying to abuse your script to do Evil Things...

Actually, a "real" user might manage to have a leading/trailing
newline when they paste an email address into a web form.

Amened the preceding statement to:

If an email contains an embedded newline, they are a spammer.

So, to secure your mail() script do this:

$email = trim($_REQUEST['email']);
if (strstr($email, "\n")){
  die("spammer");
}
//now it's "safe" to send the email.

You also should sanitize the input for $subject since that ALSO gets
spliced into the headers of an email.

You could, perhaps, perform additional validation upon $email, looking
for a specific format involving @ and "dots" and so forth -- but be
warned that you are likely to inadvertantly reject valid email
addresses, and are guaranteed to accept worthless email addresses no
matter how rigorous your validation...

So I personally don't think it's wise to attempt to validate an email
address as syntactically valid "email address" for a simple form mail.

But then, I've been burned by a BUNCH of web-sites that reject MY
email address as "invalid" and am biased by that. :-)

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux