SitePoint Sponsor

User Tag List

Results 1 to 16 of 16
  1. #1
    SitePoint Member
    Join Date
    May 2007
    Posts
    19
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Unhappy Abuse-Free Contact Form?

    Hello, I've been recently notified by my host that several phising emails were dispathed from the server I host the sites I design in. We tried to investigate this matter and the admin came up with the result that one of the sites' contact form is being abused. He said that propably false html tags were inserted into one of the fields in order to dispatch the emails.

    I am now redesigning the forms of all the sites to be spam free but need to double check on this. Found few resources on the net.

    So far I have coded a script in javascript which pops up an alert when a required field is not filled in. It also checks for a valid email address.

    Plus I have an html encrypting application, should I use that too?

    Finally I am thinking of adding image verification if it's not much of a hassle.
    Your opinions.

  2. #2
    SitePoint Addict tina88's Avatar
    Join Date
    Jan 2007
    Location
    UK
    Posts
    270
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hiya, from what you are saying I don't think the problem is missing fields. The problem is that the fields are being populated with tags. The image verification script would be good but I would also check out this link: http://www.htmlcenter.com/tutorials/...s.cfm/149/PHP/ on how to verify what is entered into form fields. Tina

  3. #3
    SitePoint Wizard stereofrog's Avatar
    Join Date
    Apr 2004
    Location
    germany
    Posts
    4,324
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi, welcome to the forums

    Quote Originally Posted by Sindarin View Post
    Hello, I've been recently notified by my host that several phising emails were dispathed from the server I host the sites I design in.
    Most probably, they're being "injected" with additional header fields.
    I am now redesigning the forms of all the sites to be spam free but need to double check on this. Found few resources on the net.
    Wikipedia article is a good starting point.
    So far I have coded a script in javascript which pops up an alert when a required field is not filled in. It also checks for a valid email address.
    You should realize that javascript doesn't protect you from any kind of attacks.
    Plus I have an html encrypting application, should I use that too?
    No, because "html encryption" is quite pointless in this case. They didn't exploit your html, the security problem is on the server side.

  4. #4
    SitePoint Member
    Join Date
    May 2007
    Posts
    19
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Most probably, they're being "injected" with additional header fields.
    I can't understand how can they be "injected"? Actually a file that's on the server cannot be modified right?

    You should realize that javascript doesn't protect you from any kind of attacks.
    Could this code help against it?
    PHP Code:
    // Attempt to defend against header injections:
    $badStrings = array("Content-Type:",
                         
    "MIME-Version:",
                         
    "Content-Transfer-Encoding:",
                         
    "bcc:",
                         
    "cc:");

    // Loop through each POST'ed value and test if it contains
    // one of the $badStrings:
    foreach($_POST as $k => $v){
       foreach(
    $badStrings as $v2){
           if(
    strpos($v$v2) !== false){
               
    logBadRequest();
               
    header("HTTP/1.0 403 Forbidden");
                   exit;
           }
       }
    }    

    // Made it past spammer test, free up some memory
    // and continue rest of script:    
    unset($k$v$v2$badStrings$authHosts$fromArray$wwwUsed);
    ?> 
    Hiya, from what you are saying I don't think the problem is missing fields. The problem is that the fields are being populated with tags. The image verification script would be good but I would also check out this link
    Thanks for the link.

  5. #5
    SitePoint Zealot
    Join Date
    Mar 2007
    Posts
    192
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    check and make sure all the fields that you would like to be required are present when the form is submitted, try and image verification script that would be useful.

    you can spoof http requests which is probably what the guy above means be injecting form fields, meaninn they just spam the file that sends the mail, but it doesnt use your html form which is why javascript is useless.

    image verifcation would be i think the best solution to prevent form spam, because computer software has to be pretty damn complex to beable to read and decode text in an image that is require for the script to run.

  6. #6
    SitePoint Member
    Join Date
    May 2007
    Posts
    19
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    you can spoof http requests which is probably what the guy above means be injecting form fields, meaninn they just spam the file that sends the mail, but it doesnt use your html form which is why javascript is useless.
    Then they use the php script on my server?


    okay, let me be more precise, this is the php script that gets executed after the form has been submitted:

    PHP Code:
    <?php


    $to 
    "info@somesite.com";


    $poster $_POST['name'];
    $postemail $_POST['email'];
    $postersurname $_POST['surname'];
    $age $_POST['age'];
    $region $_POST['region'];
    $song $_POST['song'];
    $message $_POST['message'];


        
    $messege "
        <body onLoad=document.location='form_success.html' background='images/PopupBackground.gif'>"
    ;
        
        
    $subject "Orange 93,2fm :: New Contact";
        
    $message "
        <html>
        <head>
        <title>New Contact</title></head>
        <body><font face='Arial'><b><font face='red'>Hello, you have a new Contact</b></font><br><br>
        <b>The name/surname of the poster is:</b>  
    $poster <br>
        <b>The surname of the poster is:</b>  
    $postersurname <br>
        <b>The e-mail of the poster is:</b>  
    $postemail <br>
        <b>The age of the poster is:</b>  
    $age <br>
        <b>The region of the poster is:</b>  
    $region <br>
        <b>The song the poster wants to hear is:</b>  
    $song <br>
        <b>Message:</b> <br><br>
        
    $message <br><br><font color='red'>That is the end of the message.</font></body></html>";

        
    $headers  "MIME-Version: 1.0\r\n";
        
    $headers .= "Content-type: text/html; charset=iso-8859-7\r\n";
        
    $headers .= "To: Contact Submit <$to> \r\n";
        
    $headers .= "From: $postemail <$postemail>\r\n";
        
    mail($to$subject$message$headers);


    echo 
    "$messege";

    ?>
    how do I exactly protect the headers there?

  7. #7
    SitePoint Wizard stereofrog's Avatar
    Join Date
    Apr 2004
    Location
    germany
    Posts
    4,324
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Sindarin View Post
    I can't understand how can they be "injected"? Actually a file that's on the server cannot be modified right?
    Consider the following php script:
    Code:
    <form>
       <input name="subject">
       <textarea name="message"/>
    </form>
    <?
    if($_POST) mail('me@myhost', $_POST['subject'], $_POST['message']);
    Your visitors enter 'hi there' in 'subject' field and whatever in message box and the script sends emails like this (this is what you'd see if you click 'view source' in your email program):
    Code:
    Subject: hi there
    To: me@myhost
    <other request fields>
    
    whatever message
    Headers are separated by a newline, and message is preceded by two newlines. So far so good, right?

    One dark night a big bad guy stumbles upon your site and decides to abuse your contact form. The 'subject' he's posting looks like this:
    Code:
    Hello
    Cc: victim@innoncent.org
    Cc: ceo@company.com
    <1000 or more cc lines>
    (note the newlines).

    What happens? The email generated by your script will be
    Code:
    Subject: Hello
    Cc: victim@innoncent.org
    Cc: ceo@company.com
    <1000 or more cc lines>
    To: me@myhost
    <other request fields>
    
    enlarge your spam!
    what effectively means *you* are sending spam to 1000 or more addresses!

    This is what is called email injection. Thankfully, it's fairly easy to defend yourself. Bad boy's attack won't succeed without newlines, ergo removing them will hinder him:
    Code:
    <form>
       <input name="subject">
       <textarea name="message"/>
    </form>
    <?
    if($_POST) {
       $protected_subject = preg_replace('/[\r\n]/', ' ', $_POST['subject']);
       mail('me@myhost', $protected_subject, $_POST['message']);
    }
    The email will be
    Code:
    Subject: Hello Cc: victim@innoncent.org Cc: ceo@company.com
    To: me@myhost
    <other request fields>
    
    enlarge your spam!
    what means you (and only) you will receive a mail with the strange subject. No problem.

    Could this code help against it?
    Oops, looks like I was being too fast recommending the wikipedia article. That code is useless.

  8. #8
    SitePoint Wizard stereofrog's Avatar
    Join Date
    Apr 2004
    Location
    germany
    Posts
    4,324
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Upd: didn't see your post while composing, obviously your code suffers from the problem I described, check your $postemail variable.

  9. #9
    SitePoint Member
    Join Date
    May 2007
    Posts
    19
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    now I understand better. Thanks.
    So I'll try to remove the newlines and see what will that do.

  10. #10
    SitePoint Member
    Join Date
    May 2007
    Posts
    19
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    PHP Code:
     function check_email($postemail){
        if (
    eregi("^[a-z0-9]+([-_\.]?[a-z0-9])+@[a-z0-9]+([-_\.]?[a-z0-9])+\.[a-z]{2,4}"$postemail)){
        
    $postemail preg_replace('/[\r\n]/'' '$postemail);
        return 
    TRUE;
        } else {
        return 
    FALSE;
        }


    if (
    check_email($postemail))   
    {
    //dosomething
    }
    else
    {
    //error

    will this do?

  11. #11
    SitePoint Wizard cranial-bore's Avatar
    Join Date
    Jan 2002
    Location
    Australia
    Posts
    2,634
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    http://shaunwagner.com/projects/php/as_mail.html

    You are using the $postemail value and putting it in the message headers. All the attacker has to do is add a heap of BCC: values and as well as the email going to you it goes to their list of unfortunates.

    You can use the as_mail function linked above, or avoid have any user inputable fields go into the header. The email isn't really coming from the user's address, its coming from your site so you don't need their "address" in the from header.

    If you're interested WikiPedia (predictably) have a article about Email Injection.

  12. #12
    SitePoint Member
    Join Date
    May 2007
    Posts
    19
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    PHP Code:
            $headers  "MIME-Version: 1.0\r\n";
        
    $headers .= "Content-type: text/html; charset=iso-8859-7\r\n";
        
    $headers .= "To: Contact Submit <$to> \r\n";
        
    $headers .= "From: VISITOR\r\n";
        
    mail($to$subject$message$headers); 
    So this is safer?

    The as_mail looks interesting!

  13. #13
    SitePoint Wizard stereofrog's Avatar
    Join Date
    Apr 2004
    Location
    germany
    Posts
    4,324
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Sindarin View Post
    will this do?
    No, since you don't actually change $postemail. Just add preg_replace line to your first snippet, that's all about it.

  14. #14
    Keep it simple, stupid! bokehman's Avatar
    Join Date
    Jul 2005
    Posts
    1,933
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    PHP Code:
    $headers .= "From: $postemail <$postemail>\r\n"
    • Don't send emails that contain a From argument for which your mail exchanger is not authoritative.
    • Don't ever use user supplied data for any of the header arguments of the mail function.

  15. #15
    SitePoint Member
    Join Date
    May 2007
    Posts
    19
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    So will it be okay to remove it completely?

    and the other I wanted to ask is: are asp scripts vulnerable to this too?
    Last edited by Sindarin; May 18, 2007 at 02:54.

  16. #16
    SitePoint Wizard siteguru's Avatar
    Join Date
    Oct 2002
    Location
    Scotland
    Posts
    3,609
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Ian Anderson
    www.siteguru.co.uk


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •