Posted by stirrell on 08/07/06 12:16

Hello Miguel,

You're right - I probably am checking more than I need to but I figured
it didn't hurt to check those inputs and I was trying to make sure I
wasn't missing anything. Here is a copy of the message from the
bounceback that I got from the server. To me, it looks like a
successful injection attempt.

Return-Path: <anonymous@arthur.website.com>
Received: (qmail 13669 invoked by uid 48); 5 Aug 2006 09:20:32 -0400
Date: 5 Aug 2006 09:20:32 -0400
Message-ID: <20060805132032.13668.qmail@arthur.website.com>
To: info@website.com
Subject: Inquiry from website Web site:
From: to@arthur.website.com
Content-Transfer-Encoding: 8bit

Content-Type: text/plain

Subject: for the content of




in violation of applicable laws.











c38c84c3c20b7d288cf34180343fc74f

..

<egardless5451@website.com>

userName: to

Content-Transfer-Encoding: 8bit

Content-Type: text/plain

Subject: for the content of

bcc: buletmann@aol.com



in violation of applicable laws.

---------------------------------------------------

The email message also contained this error:

Hi. This is the qmail-send program at arthur.integrastrategic.com.
I'm afraid I wasn't able to deliver your message to the following
addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<buletmann@aol.com>:
64.12.138.152 failed after I sent the message.
Remote host said: 554-: (RLY:CS4)
http://postmaster.info.aol.com/errors/554rlycs4.html
554 TRANSACTION FAILED

--------------------------------------------

Does this look like a successful injection into the From field? I check
both the email address and name for an injection attempt. Then I create
the email like this:

// Send the email
$subject = "Inquiry from Web site: $_POST[topic]";
if (strlen($_POST[userName]) > 0) {
$message .= "Name: $_POST[userName]\n";
} // end of if
if (strlen($_POST[address]) > 0) {
$message .= "Address: $_POST[address]\n";
} // end of if
if (strlen($_POST[address2]) > 0) {
$message .= "Address 2: $_POST[address2]\n";
} // end of if
if (strlen($_POST[city]) > 0) {
$message .= "Name: $_POST[city]\n";
} // end of if
if (strlen($_POST[state]) > 0) {
$message .= "State: $_POST[state]\n";
} // end of if
if (strlen($_POST[zip]) > 0) {
$message .= "Zip: $_POST[zip]\n";
} // end of if
if (strlen($_POST[phone]) > 0) {
$message .= "Phone: $_POST[phone]\n\n";
} // end of if
if (strlen($_POST[comments]) > 0) {
$message .= "Comments: ".str_replace("\r", "",
$_POST[comments])."\n";
} // end of if
if (strlen($_POST[email]) > 0) {
$from = "$_POST[userName] <$_POST[email]>";
} // end of if
else {
$from = "Website <info@website.com>";
} // end of else
$message = stripslashes($message);
mail ("info@website.com", $subject, $message, "From: ".$from);

So, the from is created via the userName and email variables which are
checked with the injection check. Can anyone see a flaw that would
allow someone to create an email like the one that bounced back?

Thanks so much for your help. I really appreciate the input so far.

Sincerely,
Scott

Miguel Cruz wrote:
> stirrell@integrastrategic.com wrote:
> > One problem that I had been having is stopping email injections on
> > contact forms. I did some research, read up on it and felt like I had
> > created a working solution. I hadn't gotten any suspicious bouncebacks
> > in quite some time and got many custom alerts I had set up for
> > notifying me of injection attempts. However, just the other day, I got
> > a bounceback from an AOL address which leads me to believe that an
> > injection attempt was successful. I was hoping that someone here could
> > help me out.
> >
> > Here is the code that I am using to check for injections:
> >
> > function containsInjectionAttempt($input) {
> > if (eregi("\r", $input) ||
> > eregi("\n", $input) ||
> > eregi("%0a", $input) ||
> > eregi("%0d", $input) ||
> > eregi("Content-Type:", $input) ||
> > eregi("bcc:", $input) ||
> > eregi("to:", $input) ||
> > eregi("cc:", $input)) {
> > return true;
> > } // end of if
> > else {
> > return false;
> > } // end of else
> > } // end of containsInjectionAttempt function
> >
> > // Check for injection attempts
> > if (containsInjectionAttempt($_POST['userName']) ||
> > containsInjectionAttempt($_POST['address']) ||
> > containsInjectionAttempt($_POST['address2'])
> > || containsInjectionAttempt($_POST['city']) ||
> > containsInjectionAttempt($_POST['zip']) ||
> > containsInjectionAttempt($_POST['phone'])
> > || containsInjectionAttempt($_POST['email'])) {
> > // There has been an injection attempt
> > while (list($key, $value) = each($_POST)) {
> > $message .= $key.": ".$value."\n";
> > } // end of while
> > mail ("me@test.com", "Injection attempt on Web Site", $message,
> > "From: info@website.com");
> > $mailSuccess = 1;
> > } // end of if
> >
> > Then, if the mailSuccess variable is set to 1, it sends out the email.
> > There is also a comments textarea that I do not run through the
> > injection check. It is my (possibly incorrect?) understanding that
> > anything going into the message body does not need to be checked for an
> > injection attempt since it should not be able to affect the headers. A
> > problem with checking a textarea against the injection check would be
> > that it would mark most legitimate messages as injections since it
> > looks for \r and \n. At least this is my understanding.
>
> It looks to me like you are checking a bunch of stuff you don't need to
> - do any of userName, address, address2, city, zip, phone, or email end
> up in the headers of the message you send out? I would assume they all
> end up in the body.
>
> What you need to look at would be the stuff that does go into the
> headers - a likely suspect would be anything used to build the Subject.
>
> If you build a "From:" header from the userName or email values then you
> do need to check those.
>
> miguel
> --
> Photos from 40 countries on 5 continents: http://travel.u.nu
> Latest photos: Malaysia; Thailand; Singapore; Spain; Morocco
> Airports of the world: http://airport.u.nu

[Back to original message]