Abuse-Free Contact Form?

[Sindarin]

Hello, I've been recently notified by my host that several phising emails were dispathed from the server I host the sites I design in. We tried to investigate this matter and the admin came up with the result that one of the sites' contact form is being abused. He said that propably false html tags were inserted into one of the fields in order to dispatch the emails.

I am now redesigning the forms of all the sites to be spam free but need to double check on this. Found few resources on the net.

So far I have coded a script in javascript which pops up an alert when a required field is not filled in. It also checks for a valid email address.

Plus I have an html encrypting application, should I use that too?

Finally I am thinking of adding image verification if it's not much of a hassle.
Your opinions.

[tina88]

Hiya, from what you are saying I don't think the problem is missing fields. The problem is that the fields are being populated with tags. The image verification script would be good but I would also check out this link: http://www.htmlcenter.com/tutorials/...s.cfm/149/PHP/ on how to verify what is entered into form fields. Tina

[stereofrog]

Hi, welcome to the forums

Hello, I've been recently notified by my host that several phising emails were dispathed from the server I host the sites I design in.

Most probably, they're being "injected" with additional header fields.

I am now redesigning the forms of all the sites to be spam free but need to double check on this. Found few resources on the net.

Wikipedia article is a good starting point.

So far I have coded a script in javascript which pops up an alert when a required field is not filled in. It also checks for a valid email address.

You should realize that javascript doesn't protect you from any kind of attacks.

Plus I have an html encrypting application, should I use that too?

No, because "html encryption" is quite pointless in this case. They didn't exploit your html, the security problem is on the server side.

[Sindarin]

Most probably, they're being "injected" with additional header fields.

I can't understand how can they be "injected"? Actually a file that's on the server cannot be modified right?

You should realize that javascript doesn't protect you from any kind of attacks.

Could this code help against it?

PHP Code:

// Attempt to defend against header injections:
$badStrings = array("Content-Type:",
                     "MIME-Version:",
                     "Content-Transfer-Encoding:",
                     "bcc:",
                     "cc:");

// Loop through each POST'ed value and test if it contains
// one of the $badStrings:
foreach($_POST as $k => $v){
   foreach($badStrings as $v2){
       if(strpos($v, $v2) !== false){
           logBadRequest();
           header("HTTP/1.0 403 Forbidden");
               exit;
       }
   }
}    

// Made it past spammer test, free up some memory
// and continue rest of script:    
unset($k, $v, $v2, $badStrings, $authHosts, $fromArray, $wwwUsed);
?> 


Hiya, from what you are saying I don't think the problem is missing fields. The problem is that the fields are being populated with tags. The image verification script would be good but I would also check out this link

Thanks for the link.

[voodoomagic]

check and make sure all the fields that you would like to be required are present when the form is submitted, try and image verification script that would be useful.

you can spoof http requests which is probably what the guy above means be injecting form fields, meaninn they just spam the file that sends the mail, but it doesnt use your html form which is why javascript is useless.

image verifcation would be i think the best solution to prevent form spam, because computer software has to be pretty damn complex to beable to read and decode text in an image that is require for the script to run.

[Sindarin]

you can spoof http requests which is probably what the guy above means be injecting form fields, meaninn they just spam the file that sends the mail, but it doesnt use your html form which is why javascript is useless.

Then they use the php script on my server?


okay, let me be more precise, this is the php script that gets executed after the form has been submitted:

PHP Code:

<?php


$to = "info@somesite.com";


$poster = $_POST['name'];
$postemail = $_POST['email'];
$postersurname = $_POST['surname'];
$age = $_POST['age'];
$region = $_POST['region'];
$song = $_POST['song'];
$message = $_POST['message'];


    $messege = "
    <body onLoad=document.location='form_success.html' background='images/PopupBackground.gif'>";
    
    $subject = "Orange 93,2fm :: New Contact";
    $message = "
    <html>
    <head>
    <title>New Contact</title></head>
    <body><font face='Arial'><b><font face='red'>Hello, you have a new Contact</b></font><br><br>
    <b>The name/surname of the poster is:</b>  $poster <br>
    <b>The surname of the poster is:</b>  $postersurname <br>
    <b>The e-mail of the poster is:</b>  $postemail <br>
    <b>The age of the poster is:</b>  $age <br>
    <b>The region of the poster is:</b>  $region <br>
    <b>The song the poster wants to hear is:</b>  $song <br>
    <b>Message:</b> <br><br>
    $message <br><br><font color='red'>That is the end of the message.</font></body></html>";

    $headers  = "MIME-Version: 1.0\r\n";
    $headers .= "Content-type: text/html; charset=iso-8859-7\r\n";
    $headers .= "To: Contact Submit <$to> \r\n";
    $headers .= "From: $postemail <$postemail>\r\n";
    mail($to, $subject, $message, $headers);


echo "$messege";

?>

how do I exactly protect the headers there?

[stereofrog]

I can't understand how can they be "injected"? Actually a file that's on the server cannot be modified right?

Consider the following php script:

Code:

<form>
   <input name="subject">
   <textarea name="message"/>
</form>
<?
if($_POST) mail('me@myhost', $_POST['subject'], $_POST['message']);

Your visitors enter 'hi there' in 'subject' field and whatever in message box and the script sends emails like this (this is what you'd see if you click 'view source' in your email program):

Code:

Subject: hi there
To: me@myhost
<other request fields>

whatever message

Headers are separated by a newline, and message is preceded by two newlines. So far so good, right?

One dark night a big bad guy stumbles upon your site and decides to abuse your contact form. The 'subject' he's posting looks like this:

Code:

Hello
Cc: victim@innoncent.org
Cc: ceo@company.com
<1000 or more cc lines>

(note the newlines).

What happens? The email generated by your script will be

Code:

Subject: Hello
Cc: victim@innoncent.org
Cc: ceo@company.com
<1000 or more cc lines>
To: me@myhost
<other request fields>

enlarge your spam!

what effectively means *you* are sending spam to 1000 or more addresses!

This is what is called email injection. Thankfully, it's fairly easy to defend yourself. Bad boy's attack won't succeed without newlines, ergo removing them will hinder him:

Code:

<form>
   <input name="subject">
   <textarea name="message"/>
</form>
<?
if($_POST) {
   $protected_subject = preg_replace('/[\r\n]/', ' ', $_POST['subject']);
   mail('me@myhost', $protected_subject, $_POST['message']);
}

The email will be

Code:

Subject: Hello Cc: victim@innoncent.org Cc: ceo@company.com
To: me@myhost
<other request fields>

enlarge your spam!

what means you (and only) you will receive a mail with the strange subject. No problem.

Could this code help against it?

Oops, looks like I was being too fast recommending the wikipedia article. That code is useless.

[stereofrog]

Upd: didn't see your post while composing, obviously your code suffers from the problem I described, check your $postemail variable.

[Sindarin]

now I understand better. Thanks.
So I'll try to remove the newlines and see what will that do.

[Sindarin]

PHP Code:

 function check_email($postemail){
    if (eregi("^[a-z0-9]+([-_\.]?[a-z0-9])+@[a-z0-9]+([-_\.]?[a-z0-9])+\.[a-z]{2,4}", $postemail)){
    $postemail = preg_replace('/[\r\n]/', ' ', $postemail);
    return TRUE;
    } else {
    return FALSE;
    }


if (check_email($postemail))   
{
//dosomething
}
else
{
//error
} 


will this do?

[cranial-bore]

http://shaunwagner.com/projects/php/as_mail.html

You are using the $postemail value and putting it in the message headers. All the attacker has to do is add a heap of BCC: values and as well as the email going to you it goes to their list of unfortunates.

You can use the as_mail function linked above, or avoid have any user inputable fields go into the header. The email isn't really coming from the user's address, its coming from your site so you don't need their "address" in the from header.

If you're interested WikiPedia (predictably) have a article about Email Injection.

[Sindarin]

PHP Code:

        $headers  = "MIME-Version: 1.0\r\n";
    $headers .= "Content-type: text/html; charset=iso-8859-7\r\n";
    $headers .= "To: Contact Submit <$to> \r\n";
    $headers .= "From: VISITOR\r\n";
    mail($to, $subject, $message, $headers); 


So this is safer?

The as_mail looks interesting!

[stereofrog]

will this do?

No, since you don't actually change $postemail. Just add preg_replace line to your first snippet, that's all about it.

[bokehman]

PHP Code:

$headers .= "From: $postemail <$postemail>\r\n"; 


• Don't send emails that contain a From argument for which your mail exchanger is not authoritative.
• Don't ever use user supplied data for any of the header arguments of the mail function.

[Sindarin]

So will it be okay to remove it completely?

and the other I wanted to ask is: are asp scripts vulnerable to this too?

[siteguru]

http://www.sitepoint.com/forums/show...36&postcount=4

See that post.