Simple contact form being exploited?

**321web** · Nov 17, 2005, 20:04

I have a simple contact form on my websites that allow people to contact me. Over the last few days I have seen weird things submitted, seems to be a bot. Maybe someone is trying to use the simple code to relay mail, I have no idea. How can I make the form more secure?

**LinX** · Nov 17, 2005, 20:11

Perhaps post the code you are using?

**ajferg** · Nov 17, 2005, 20:15

Yeah, we've been getting a lot of this on some of our sites too. (Started maybe a month ago?)

I think its called an 'email header inject' attack - essentially, they're trying to put:
\r\n BCC: new@email.com \r\n
into the email address, which many of us put directly into the header in an attempt to set the reply-to address or something.

Anyway, its very annoying. A quick google search of 'email header inject' brings up a fair bit of data on it.

Haven't come across a foolproof way using PHP to prevent it - I have noticed a trend that they'll often throw in abc12345@domain.com (where domain.com is your website) at some point - so I added a filter into my scripts to not send emails if it involves our own domain.

Not the best solution, but it seems okay for a quick fix.

EDIT: Just noticed this post which covers it, and solutions, in case you've got the same prob as me.

**freekrai** · Nov 17, 2005, 20:21

Here's a function that I've been using on scripts for the last while. Instead of the mail() command, use the send_mail() function here:

PHP Code:


<? 
 function  send_email($to,  $fromaddr,  $fromname,  $subject,  $message_text,  $message_html  =  "") { 
  $subject  =  preg_replace("/\nfrom\:.*?\n/i",  "",  $subject); 
  $subject  =  preg_replace("/\nbcc\:.*?\n/i",  "",  $subject); 
  $subject  =  preg_replace("/\ncc\:.*?\n/i",  "",  $subject); 
  $message_text  =  preg_replace("/\nfrom\:.*?\n/i",  "",  $message_text); 
  $message_text  =  preg_replace("/\nbcc\:.*?\n/i",  "",  $message_text); 
  $message_text  =  preg_replace("/\ncc\:.*?\n/i",  "",  $message_text); 
  $message_html  =  preg_replace("/\nfrom\:.*?\n/i",  "",  $message_html); 
  $message_html  =  preg_replace("/\nbcc\:.*?\n/i",  "",  $message_html); 
  $message_html  =  preg_replace("/\ncc\:.*?\n/i",  "",  $message_html); 
  $additional_parameters  =  "-f  $fromaddr"; 
  $headers  =  "From:  $fromname  <$fromaddr>\r\n"; 
  $headers  .=  "MIME-Version:  1.0\r\n"; 
  if($message_html  !=  "") { 
   $boundary  =  uniqid("sometext"); 
   $headers  .=  "Content-Type:  multipart/alternative;  boundary  =  $boundary\r\n\r\n"; 
   $body    =  "--$boundary\r\n"; 
   $body  .=  "Content-Type:  text/plain;  charset=ISO-8859-1\r\n"; 
   $body  .=  "Content-Transfer-Encoding:  7  bit\r\n\r\n"; 
   $body  .=  $message_text."\r\n\r\n"; 
   $body  .=  "--$boundary\r\n"; 
   $body  .=  "Content-Type:  text/html;  charset=ISO-8859-1\r\n"; 
   $body  .=  "Content-Transfer-Encoding:  t  bit\r\n\r\n"; 
   $body  .=  $message_html."\r\n\r\n"; 
  } 
  if($message_html  ==  "") { 
   $headers  .=  "Content-type:  text/plain;  charset=iso-8859-1\n"; 
   $body  =  $message_text; 
  } 
  return  mail($to,  $subject,  $body,  $headers,  $additional_parameters); 
 } 
?>

**321web** · Nov 17, 2005, 20:48

ajferg that is exactly the same thing that is heppening to me.

**-Oz-** · Nov 18, 2005, 20:58

see here: http://www.sitepoint.com/forums/show...t=contact+form
and here: http://www.sitepoint.com/forums/show...t=contact+form

**Czaries** · Nov 19, 2005, 02:31

Yeah, this has been happening to me, too. I guess it is a fairly common thing.

**bokehman** · Nov 19, 2005, 04:05

This can only happen on scripts where the writer has been to lazy to validate the form inputs. Don't worry about how it is happening, just validate each and every input. For example telephone numbers: only allow figures and spaces, names: only allow letters and spaces, email address: check against a pattern, etc.

**321web** · Nov 19, 2005, 04:42

Lazy would mean that people know and yet do nothing about it. That is not the case here.

**bokehman** · Nov 19, 2005, 04:57

Originally Posted by 321web

Lazy would mean that people know and yet do nothing about it. That is not the case here.

Validating an input should be the first thing you learn in PHP. If you don't know how to validate an input you should not be running your scripts in a live environment.

**321web** · Nov 19, 2005, 14:46

Again that doesnt mean people are lazy, it just means that they didnt know that.

My code looks like this

PHP Code:


    $msg = "Name:\t$name\n";
      $msg .= "E-mail:\t$email\n";
      $msg .= "ICQ:\t$icq\n";
      $msg .= "URL:\t$url\n";
      $msg .= "Description:\t$description\n";
      $msg .= "IP:\t$REMOTE_ADDR\n";
      
  $mailheaders = "From: $email\n";
  $mailheaders .= "Reply-To: $email\n\n";
  
  mail("webmaster@321graphics.com", "Feedback From 321Graphics.com", $msg, $mailheaders);

None of the suggestions seem to be working.

**PHPCamp.com** · Nov 19, 2005, 23:09

I host several hundred sites using common code including a guestbook and contact form. Last year a bot started posting to a bunch of guestbooks and contact forms. I got around it by limiting submissions by IP address and forcing confirmation emails for the original message to go through. It's been working for a year and the mass posting has stopped. As for sending bogus headers, validating input is the best method. Good luck.

**321web** · Nov 21, 2005, 23:58

Anyone want to try and secure the code I specified above? I'll give you a cookie :-)

Once I see it done I can better understand it and apply it to other forms. I have tried the other code specified as fixes but they dont seem to work on my site as the injections just keep coming.

**Czaries** · Nov 23, 2005, 12:20

Just because our forms are being hit does not mean we do not validate the input... It just means a bot or a person visited the form and tried it. I DO validate my input - I was just wondering about the source of the attacks and if anyone else was getting them.

**321web** · Nov 23, 2005, 19:15

Apprently I do not validate as well as I should be. Still awaiting some insight. Thanks again guys.

**bokehman** · Nov 24, 2005, 04:25

Originally Posted by 321web

Apprently I do not validate as well as I should be. Still awaiting some insight. Thanks again guys.

If you validate your input for what is should contain rather than shouldn't contain you should not be vunerable to any type of attack.

**321web** · Nov 24, 2005, 12:21

Other than an email address any message could contain any type of character, so I am not sure what you mean. How can you validate a comment or suggestion some one might be sending.

Seems to me like you need to check for what shouldnt be there, and I am not even sure of that, as I dont know what the heck people are trying to do nor do I know how they are doing it. But stopping them would be nice.

**Beansprout** · Nov 24, 2005, 14:06

Strip out all \r and \n squences from the input and you'll be fine. Easy. But also the bare minimum in terms of validation really.

**321web** · Nov 28, 2005, 17:12

Apparently this is a bot that searches the net for unsecure scripts.
http://www.nyphp.org/phundamentals/e..._injection.php

**321web** · Dec 4, 2005, 15:20

I have heard that this bot targets commonly used form names such as contact.php or feedback.php, can anyone confirm being hit by it with an uncommon named page?

**ajferg** · Dec 4, 2005, 16:30

We've had hits on a file named 'email-to-a-friend.php'. Chances are, the bot also looks for keywords like 'contact' or 'email' in the filename. So files like 'contact-companyname.php' would also be targetted.

Or hell, it could be just looking for <form> tags on all pages it finds!

**321web** · Dec 4, 2005, 17:17

I am conducting a test now...changed form to f33dback.php, we will see what happens.

**bjcffnet** · Dec 6, 2005, 20:27

Originally Posted by 321web

Again that doesnt mean people are lazy, it just means that they didnt know that.

My code looks like this

PHP Code:


    $msg = "Name:\t$name\n";

      $msg .= "E-mail:\t$email\n";

      $msg .= "ICQ:\t$icq\n";

      $msg .= "URL:\t$url\n";

      $msg .= "Description:\t$description\n";

      $msg .= "IP:\t$REMOTE_ADDR\n";

      

  $mailheaders = "From: $email\n";

  $mailheaders .= "Reply-To: $email\n\n";

  

  mail("webmaster@321graphics.com", "Feedback From 321Graphics.com", $msg, $mailheaders);

None of the suggestions seem to be working.

I'm going to be using these two functions throughout, so paste it in the page or include it in a file. Doesn't really matter.

PHP Code:


function valid($email, $debug = false)

{

    // valid structure??

    if (!preg_match('~^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$~', $email)) {

        if ($debug) {

            trigger_error('Email address not valid structure in valid()');

        }



        return false;

    }



    // get the username and the domain into seperate parts

    list($username, $domain) = explode('@', $email);



    // use getmxrr() to try to get the ip of the mail host

    // you can remove the function_exists(...) if you know you won't be running on windows

    if (function_exists('getmxrr') && getmxrr($domain, $mxhost)) {

        $connectaddress = $mxhost[0];

    } else {

        if ($debug) {

            trigger_error('Couldn\'t use getmxrr() in valid()');

        }



        // fall back on the domain

        $connectaddress = $domain;

    }



    // connect to SMTP server of the connectaddress

    $connect = fsockopen($connectaddress, 25, $no, $str, 15);



    // validate connect

    if ($connect) {

        // match the 220 response code

        if (preg_match('|^220|', $out = fgets($connect, 1024))) {

            // hi! (tell the smtp server that)

            fputs ($connect, 'HELO ' . $connectaddress . "\r\n");

            $out = fgets($connect, 1024);



            // see if its a valid user

            fputs($connect, 'MAIL FROM: <' . $email . '>' . "\r\n");

            $from = fgets($connect, 1024);



            // ... twice ...

            fputs ($connect, 'RCPT TO: <' . $email . '>' . "\r\n");

            $to = fgets ($connect, 1024);



            // quit and close

            fputs ($connect, 'QUIT' . "\r\n");

            fclose($connect);



            // see if 250 was resonded

            if (!preg_match('!^250!', $from) || !preg_match('!^250!', $to)) {

                if ($debug) {

                    trigger_error('No 250 response code (e.g. not a valid user) in valid()');

                }



                return false;

            }

        } else {

            if ($debug) {

                trigger_error('No 220 response code in valid()');

            }



            // no 220 response code

            return false;

        }

    } else {

        if ($debug) {

            trigger_error('Couldn\'t connect to ' . $connectaddress . ':25 in valid()');

        }



        // no connect

        return false;

    }



    // what??? OMGOMGOMGOMGOMGOMG!!!1!!one!1!

    return true;

}



// returns everything before any new lines (e.g. the user can't put in their own bcc or cc headers by putting in new lines)

function b4nl($var)

{

    return preg_replace("!^(.+)(\r|\n).+$!isU", '$1', $var);

}

Here's the secured (to me) code:

PHP Code:


<?php

// holds all the errors

$errors = array();



if (isset($email)) {

    // remove new lines

    $email = b4nl($email);



    // check if its valid

    if (valid($email)) {

        $clean['email'] = $email;

    } else {

        $errors[] = 'Invalid email: ' . $email;

    }

} else {

    $errors[] = 'Your email was not present or empty';

}



// this reduces the amount of code by a few lines ;)

// this strips all new lines away from the variables,

// so I didn't put description in here

foreach (array('name', 'icq', 'url') as $var) {

    // $$var would translate into something like $name or $icq

    $$var = b4nl($var);



    // check that it exists and is not empty

    if (!isset($$var) || empty(trim($$var))) {

        $errors[] = 'Your' . $var . ' was not present or empty';

    } else {

        // it's clean

        $clean[$var] = $$var;

    }

}



if (!isset($description) || empty(trim($description))) {

    $errors[] = 'Your' . $var . ' was not present or empty';

} else {

    $clean['description'] = $description;

}



// more thorough, i guess?

if (isset($_SERVER['X_FORWARDED_FOR']) && !empty(trim($_SERVER['X_FORWARDED_FOR'])) {

    $ip = $_SERVER['X_FORWARDED_FOR'];

} else {

    $ip = $_SERVER['REMOTE_ADDR'];

}



// this detects if there are any errors.

// you should probably change the styling around a bit, but...

if (count($errors) > 0) {

    echo 'A few errors occured:<ul>';



    foreach ($errors) {

        echo '<li>' . $errors . "</li>\r\n";

    }



    echo '</ul>';

}



// construct the message

$msg  = "Name:\t" . $clean['name'] . "\nE-mail:\t" . $clean['email'] . "\nICQ:\t" . $clean['icq'];

$msg .= "\nURL:\t" . $clean['url'] . "\nDescription:\t" . $clean['description'] . "\nIP:\t" . $ip . "\n";



// construct the headers.

$headers = 'From: ' . $clean['email'] . "\r\nReply-To:" . $clean['email'] . "\r\n\r\n";



// you should probably change the error message here

mail('webmaster@321graphics.com', 'Feedback From 321Graphics.com', $msg, $headers) or echo 'Couldn\'t send mail...';

**materix** · Dec 23, 2005, 08:49

Here is a good article about building a secure contact form: http://www.phpnerds.com/article/buil...e-contact-form

User Tag List

Thread: Simple contact form being exploited?

Thread Tools

Display

Simple contact form being exploited?

Bookmarks

Bookmarks

Posting Permissions