Secure your contact forms!

[gdwoods]

In the past few days many of my sites have had their "contact us" forms hit by zombies looking to relay email. I googled the spammer's address (bergkoch8 @ AOLdotCOM) and found an interesting thread:

http://www.anders.com/cms/75/Crack.Attempt/Spam.Relay

Anyone else getting hit?

[mellowj]

ooooooooo thats a nasty one

[iainr]

Thats a very common PHP injection script. My contact us form doesn't put any user enter stuff into the headers so its fine.

I have a good link somewhere, will post if i can find it.

[tina]

huh? what? explain?

[iainr]

Got it!

Its a long read but worth it

http://securephp.damonkohler.com/ind...mail_Injection

[gdwoods]

Ok, I've read that multiple times but I'm not a php coder so it's a bit confusing. Can someone look at this code and tell me exactly what I need to add to prevent mail() header injections?

---------------------------------------------------
My "contact us" html page has a simple form ( <form method="POST" action="thanks.php"> ) which passes to "thanks.php". It inlcudes fields for "Name", "Email", "Phone", "Subject" and "Message"

---------------------------------------------------
here is the "thanks.php" page's code

<?php
$ToAddress = "info@mysite.com";
$message = "Message from web form\n";
$message .= "-------------------------------------------\n";
foreach ($_POST as $key => $value){$message .= "$key: $value\n";}
$message .= "-------------------------------------------\n";
mail("<$ToAddress>","Message from web", $message,"From: ".$_POST["email"]);
?>
-----------------------------------------------------

[MachineDog]

First of all that should looks more like this:

<?php
$toaddress = "info@mysite.com";
$message = "Message from the web\n-------------------------------------------\n";
foreach($POST as $key => value) {$message .= "$key: $value\n"; }
$message .= "-------------------------------------------\n";
$email = $_POST["email"];
mail("<$toaddress>", "Message from web: $message \n From: $email");
// Just how I would have it, meh..
?>

[gdwoods]

thanks....can you explain how that prevents header injections?

[MachineDog]

Actually, that goes farther then my range of knowledge. Never heard of header injections... lol

*searches php manual*

[EDIT]

Ah, I see now. It's just like SQL Injection. This is one reason I keep email related functions to email programs only and just use mailto:. There's alot of easy ways though to stop this by just making sure there's no <, >, {, }, ", ', etc. tags in the message. Things that I don't really know how to do though. I'm not proficient in that area of php. :\

[gdwoods]

well thanks anyway, but this thread is about preventing PHP mail() header injections. Can anyone help (on-topic)?

[tina]

Thank you for explaining what the topic is ...he he..

so what gets prevented ?? what are "they" after ??

to prevent mail() header injections? ??

please talk down to me, ok?

I am glad I got my "contact us" page to work...do not understand ...

[MachineDog]

Say, when you have a text box for a contact us page. They end it off by putting " in the text box real easilly and continuing the function THEMSELVES, which is a total risk factor considering they can say actually insert entire functions in, etc.

[tina]

and using my mail program or name or bandwith???

[gdwoods]

Quote:

Originally Posted by tina

and using my mail program or name or bandwith???

Exactly! And this can get you blacklisted in a hurry which is NO FUN (trust me)

The bot the spammer is using is injecting bcc /cc into the code, something to do with a problem with \n & \r where they exploit the linefeed and carriage returns to add what they want.
I know I need to strip the \n\r but have no idea how to do it and how to test to make sure it's correct.

more here: http://securephp.damonkohler.com/ind...mail_Injection

and here: http://www.anders.com/cms/75/Crack.Attempt/Spam.Relay

[mellowj]

how about

$email = preg_replace("\r", "", $email);
$email = preg_replace("\n", "", $email);

[MachineDog]

PHP Code:

preg_quote($email, '/'); // Should work 


Learned alot on the patterns. Just needed to know where to look in the giant manual. lol

[gdwoods]

Quote:

Originally Posted by mellowj

how about

$email = preg_replace("\r", "", $email);
$email = preg_replace("\n", "", $email);

Thanks mellowj, where does that go in the above code?

[jeff_s]

My sites have also been getting these probes. All my forms log activity to a file before calling mail( ) so it has been easy to monitor. I hope my scripts have repelled them so far.

This is a serious matter and I hope HG clamps down on any weak scripts that will result on our IP addresses being blacklisted!!

I wrote this for those who don't understand where to put sanitization code in your own php contact forms. The new function safermail( ) calls the standard php mail() function after cleansing the arguments.

Put this piece of code at the top of your script:

Code:

<?php
function safermail($to,$subject,$body,$from)
	{
	// 2005 jcs
	$bad = array("\n","\r","\0");
	$good = "?";
	$to = str_replace($bad,$good, $to);
	$subject= str_replace($bad,$good, $subject);
	$from = str_replace($bad,$good, $from);
	$addlhdr = "From: $from\r\nReply-To: $from\r\n";
	return mail ( $to, $subject, $body , $addlhdr );
	}
?>

Then in your existing script, change the call that currently reads something like:

Code:

mail( "me@myhost", $subject, $body, "From: $email" );

to the call to the new function safermail( )

Code:

safermail( "me@myhost", $subject, $body, $email );

Note that the fourth argument to safermail( ) is assumed to be just the "from" email address, while the fourth argument to mail( ) is "addl headers". So you pass just the sender's email in this argument without wrapping it in the "From:" wrapper as you do with mail( ).

Of course, to prevent yourself from becoming an easy target volume spammer, the $to argument must ALWAYS be filled with a constant (your own address) and NEVER with data from form fields!

[jlgreer1]

Whew!

What will be an early symptom for this kind of attack?

I would like to know so I can shut down the the attacked site.

Thanks, Jeff

[MachineDog]

There is no real symptoms. It's just an exploit. If they got into it correctlly they could infact take over the page and tell it to do whatever they want. :S If you had a generic MySQL variable such as the username host and password, they could take those and be able to connect into the users MySQL database under that name. Even after you rid these exploits, I recommend using a differant MySQL user and password for every database. And never use your root username MySQL user.

[gdwoods]

Quote:

Originally Posted by jlgreer1

Whew!

What will be an early symptom for this kind of attack?

I would like to know so I can shut down the the attacked site.

Thanks, Jeff

The symptom is receiving the bogus contact form emails (as long as you are the recipient, if it is a client's site and you are not the recipient you need to monitor the logs) which appear to be from non-existant addresses such as nnrhtbdlut@yoursite.com and which have a bcc: address injected into them. I discovered the issue by googling the bcc: address in contact emails that I was receiving (see my first post)

And by the way, in my case it's not a MySQL issue, my contact form doesn't even use MySQL...

Thanks Jeff_s for your input, I'll give it a try...

[mellowj]

another way to protect a mysql database connection is to store the connection information in a seperate file and call it from a class using functions thats a lot safer since you won't have variables that anyone could change

[pixel_lab]

is it also possible to protect the script by placing:

Code:

 (eregi ("^[[:alnum:]][a-z0-9_.-]*@[a-z0-9.-]+\.[a-z]{2,4}$", stripslashes(trim($_POST['email']))))

in the if statement?
This should prevent anything other than one email address being added, and also strip any \r\n's in the post.
Any ideas?

[MachineDog]

Augh.. \r\n aren't the only problems peeps. ", ', }, {, can all be used to escape the variable..

[gdwoods]

Jeff_s: thanks for your help on this. I've implemented your code and now the forms come to me blank, no bcc field anymore
You mentioned additional code that would kill the script if the fields contain CR's. I'd love to have that since I'm getting around 20 of these pesky probes per day (interestingly they're all coming from different IPs now, I guess someone puts out a "spammer's newsletter" with my sites' addresses or something)