|
|
Posted by shimmyshack on 03/26/07 15:30
On 26 Mar, 15:52, "Brian" <brian_no_s...@nrwp.co.uk> wrote:
> > look Brian, as has been said, don't be afraid to provide the link, so
> > we can actually tell you have done wrong, after all your link is
> > public already; you will have peace of mind after you fix it - if
> > indeed anything is wrong!
>
> > You should know though sessions don't provide protection, the ID is
> > sent to the user-agent to be sent straight back, that's it!
>
> > If you think you are being targeted by a human, there's little you can
> > do, as they can solve Captcha's. If you think it is automatic then you
> > have either done something wrong - named the image by the random text
> > it contains, or have the image src="image.php?random=Rt8d" both of
> > which I have seen in the wild - or perhaps you have attracted a
> > professional - someone whose script finds the captcha url and grabs
> > the image sending it off to one of his/her sites which is heavily
> > used, the captcha is then presented to a real likfe person on /that/
> > site and the answer sent back through to your site - harder.
>
> > Perhaps you can just make it harder for the script by
> > (there are accessiblity problems with the following)
> > * randomising the names of the input fields, and image url
> > * time the solving time.
> > *have the posts build up (if you are getting loads of them) dump
> > collections of them based on IP and other data colected (see below) or
> > have them emailed to you first, with a validation link at the top,
> > then have the emails go through a Bayseian antispam filter like
> > spamassasin or spampal, which learns adaptively, so you only get to
> > see stuff considered ok.
> > * have the image dynamically inserted into the DOM using a separate
> > XHR call
> > * require that the IP that makes the request for the page be the same
> > that makes the request for the image
> > * require that the page must be part of a "flow" that is don't allow
> > post from someone who requests the html and no css/script/images,
> > track their requests to ensure the browser they claim to be using
> > matches the requests made. This is like using referer but is not so
> > easily spoofed as each page takes a "breadcrumb" and stored it to
> > track the user, award point to users who continue on round your site,
> > or come from somewhere within. Using a session i nice here.
> > * in a similar way require javascript to ask questions of the
> > capability of the user, if it's a script the js will fail, so require
> > js if you need to, if they are automating firefox, download some auto
> > stuff like chicken foot/solvent etc.. and see what it takes to fuzz
> > their script. Have a fake input hidden above the real one etc...?
> > * require validation of an email address, preventing mytrashmail
> > etc...
> > * prevent the script from accepting posts if at certain times.
> > * google for latest techniques in revealing true IP, often script
> > kiddies use tor/privoxy which by itself isn't enough, ask the user-
> > agent what time they have, screen res, use google analytics for this,
> > etc..
> > * try to tag you user with persistent data objects (eg flash),
> > cookies.
> > * download a list of know proxies at start of play, and check the
> > poster's IP. (including those associated with tor)
>
> > there are loads more of course, but I think you are now thinking - man
> > it's not worth it, I'll just delete them, so write a routine that
> > gathers info on the poster, and store it in the db table or wherever
> > and use that in a where clause, you will find they come from a
> > selection of IPs which repeat, so store them.
>
> > finally, have some fun, if you suspect its an autobrowser, send a
> > bunch of CPU chewing code to gobble up their memory using javascript,
> > or maybe if you get a request from a known proxy send it
>
> > I get this kind of spam from one of my sites, they have similarites,
> > so get killed. I find it amusing how persistent, relentless and futile
> > it all is, I havent taken any of the above steps to prevent it, just
> > to see if it will ever stop of it's own accord!
>
> Hi Shimmy
>
> Thanks for all your help, you were the only one that didn't seem to go
> off on one. I didn't want to post up loads of code as I have been told
> off for doing that before, but as it's been asked for please see below.
>
> The random image thing, I don't know if there is a official name.for it,
> but I'm talking about sites that when you go to fill in a form if asks you
> to type in the number in the image, this image is randomly generated
> number
>
> Below I have put both blocks of code, 1 generates the random
> image and sets the session ID, that other processes the form, what I
> would like to know is how secure are they, can somebody hack it and
> send out spam via my site?
> Lastly can they auto submit to the process script via their own script or
> are the problems I am having being done by a human testing the scripts
> security?
> I was under the impression because the way the random image works they
> would have to be viewing the site in a browser to see the image to know what
> to past over?
>
> Thanks
>
> Brian
>
> PS Steve, thanks for the English lesson, always very helpful to have
> somebody
> take the piss out of my Dyslexia and underline the fact that I do have a
> problem,
> it makes me feel great, thank you so much
>
> MAKE IMAGE
>
> <?php
>
> include_once("mailer_conf.php"); # Import all configuration files
> $randAlpha = str_shuffle( substr(str_shuffle($listAlpha),0,$numAlpha));
> $bgNum = rand(1, $Numbgimages);
> $image = imagecreatetruecolor($image_width,$image_height);
> if ($UseBG == true) {
> $fullimage = imagecreatefromjpeg($BGPath."/background$bgNum.jpg");
> imagecopyresized($image, $fullimage, 0, 0, 0, 0, $image_width,
> $image_height, $image_width, $image_height);
> } else {
> $image_BGColour = imagecolorallocate($image, $BGColourR, $BGColourG,
> $BGColourB);
> imagefill($image, 0, 0, $image_BGColour);
> }
>
> $textColour = array();
> $colours = array();
> $charPos = 3;
> $charSpacing = round($image_width / ($numAlpha + 1));
> $colours[0] = imagecolorallocate ($image, 255,0,0); // Red
> $colours[1] = imagecolorallocate ($image, 0,355,0); // Green
> $colours[2] = imagecolorallocate ($image, 0,0,245); // Blue
> $colours[3] = imagecolorallocate ($image, 255,0,255); // Magenta
> $colours[4] = imagecolorallocate ($image, 0,0,0); // Black
>
> for($i=0; $i<$numAlpha; $i++) {
> $cnum = rand(0, 4);
> $textColour[$i] = $colours[$cnum];
> imagestring($image, $font, $charPos, rand(2,11), $randAlpha{$i},
> $textColour[$i]);
> $charPos = $charPos + $charSpacing;
> }
> session_start();
>
> $_SESSION['image_random_value'] = md5($randAlpha);
>
> header("Expires: Sat, 01 Jan 2000 05:00:00 GMT");
> header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
> header("Cache-Control: no-store, no-cache, must-revalidate");
> header("Cache-Control: post-check=0, pre-check=0", false);
> header("Pragma: no-cache");
> header('Content-type: image/jpeg');
>
> imagejpeg($image);
> imagedestroy($fullimage);
> imagedestroy($image);
>
> unset($randAlpha, $bgNum, $newheight, $newwidth, $image, $fullimage,
> $cnum, $colours);
>
> ?>
>
> PROCESS SCRIPT
>
> <?php
>
> function checkaddaddress($email) {
> // First, we check that there's one @ symbol, and that the lengths are
> right
> if (!ereg("^[^@]{1,64}@[^@]{1,255}$", $email)) {
> // Email invalid because wrong number of characters in one section,
> or wrong number of @ symbols.
> return false;
> }
> // Split it into sections to make life easier
> $email_array = explode("@", $email);
> $local_array = explode(".", $email_array[0]);
> for ($i = 0; $i <sizeof($local_array); $i++) {
> if
> (!ereg("^(([A-Za-z0-9!#$%&'*+/=?^_`{|}~-][A-Za-z0-9!#$%&'*+/=?^_`{|}~\.-]{0,63})|(\"[^(\\|\")]{0,62}\"))$",
> $local_array[$i])) {
> return false;
> }
> }
> if (!ereg("^\[?[0-9\.]+\]?$", $email_array[1])) { // Check if domain
> is IP. If not, it should be valid domain name
> $domain_array = explode(".", $email_array[1]);
> if (sizeof($domain_array) <2) {
> return false; // Not enough parts to domain
> }
> for ($i = 0; $i <sizeof($domain_array); $i++) {
> if
> (!ereg("^(([A-Za-z0-9][A-Za-z0-9-]{0,61}[A-Za-z0-9])|([A-Za-z0-9]+))$",
> $domain_array[$i])) {
> return false;
> }
> }
> }
> return true;
> }
>
> session_start();
>
> include("mailer_conf.php"); # Import configuration files
>
> $error_msg = '';
> $_POST['image_code'] = trim($_POST['image_code']);
>
> // check for header injection from _POST
> $header_injections = array("Content-Type:", "MIME-Version:",
> "Content-Transfer-Encoding:", "bcc:", "cc:");
> foreach($_POST as $k => $v){
> $v = strtolower($v);
> foreach($header_injections as $v2){
> $v2 = strtolower($v2);
> if(strpos($_POST[$v], $v2) !== false){
> $error_msg .= $header_injection_msg."<br>";
> }
> }
> }
> // Check posted code is same as session ID
> if(($_SESSION['image_random_value'] != md5($_POST['image_code']) ||
> ($_POST['image_code'] == ""))) {
> $error_msg .= $incorrect_code_msg."<br>";
> }
> // Check email address
> if (!checkaddaddress($Email)) {
> $error_msg .= $invalid_email_msg."<br>";
> }
> // check required fields
> foreach($required_fields as $r){
> if ($_POST[$r] == '' ) {
> $missing_field .= '<li>'.$r.'</li>';
> }
> }
> // make missing field error rmessage
> if ($missing_field <> '') {
> $error_msg .= $blank_field_msg."<br>The following fields are
> missing<br><ul>".$missing_field."</ul>";
> }
> // create set of VARs from $_POST
> foreach($_POST as $k => $v){
> $$k = str_replace("\n", "<br>", $v);
> }
> // check for header injection in the above VARs
> foreach($_POST as $k => $v){
> foreach($header_injections as $replace){
> $$k = str_replace("$replace", "HEADER INJECTION", $v);
> }
> }
> // make note of users deatils
> $timedate = date("G:i:s, D F j, Y");
> $sender_info = "$timedate Sent from: " . $_SERVER['HTTP_HOST'] . "
> Remote IP: ".$_SERVER['REMOTE_ADDR'] . " Remote Host: " .
> $_SERVER['REMOTE_HOST'] . " PHP Auth User: " . $_SERVER['PHP_AUTH_USER'];
>
> include("mailer_conf.php"); # Call again to make sure the Email body has
> the right info in it
>
> if ($error_msg == '' ) {
> $to = strtolower("$to_name <$to_email>\n");
> $from = strtolower("From: $from_name <$from_email>");
> $headers = "MIME-Version: 1.0\n";
> $headers .= "Content-type: text/html; charset=iso-8859-1\n";
> $headers .= $from."\n";
> if ($cc_email <> '') {
> $headers .= strtolower("cc: $cc_name <$cc_email>\n");
> }
>
> mail($to, $form_subject, $email_body, $headers);
> echo $message_sent_msg;
> } else {
> echo $error_msg;
> }
> session_unset();
> session_destroy();
> ?>
>
> --------------------------------------------------------------------------------
> I am using the free version of SPAMfighter for private users.
> It has removed 1384 spam emails to date.
> Paying users do not have this message in their emails.
> Try SPAMfighter for free now!
I understand re going off on one but im not immune, I was doing that
yesterday and got in trouble.
The reason I asked for a URL rather than code, is that it's what the
attacker is seeing, and only then can I say.
Ive glanced at the code, although all of it's not there, there are
background images, conf files, and so on, and I cant see the markup,
etc... it looks needlessly complex re email validation reg exp)and
header injection, but as I say I cant tell how the mailer script works
or whether its vulnerable or whether its the correct way to be doing
it, or what your functionality is for the user etc.. so I cant make
any definitive statements.
however the main part of the problem will not be this processing code
but the code that /prints the markup/, and shows the form, that's the /
front/ end, and where the problems start, if you can send me the URL I
will be happy to take a look.
Navigation:
[Reply to this message]
|