Reply to Re: [PHP] Is my feedback form being successfully abused?

Your name:

Reply:


Posted by Jochem Maas on 09/20/05 12:37

Chris W. Parker wrote:
> Hello,
>
> About a few weeks ago I started seeing three emails that all come at the
> same time (within the same minute) that seem to be trying to exploit a
> feedback form I have on our website. Everytime someone submits a
> feedback form I am sent the information they entered. The To and From
> address are hard coded.

that makes no difference, what the spammer is trying to do is pass
mail headers directly in the body of the email you are generating which when
passed to the SMTP server by whatever function/syscall you use will
be interpreted by the SMTP server as a seperate email to be sent.

this 'fairly recent' class of attack is already quite well documented,
google around for more info.

I don't if any mail classes out there deal with this issue for you,
I wrote a simple function to attempt to check for 'problem' message
bodies:

<?php

/* returns true if any of the values in the passed are suspect in terms
* of someone trying to hack our form based mailer to start sending people
* spam.
*
* simple example:
*
* if (emailFieldHackAttempt( $_REQUEST )) {
* die('off with thy head, spamwannabe!');
* }
*/
function emailFieldHackAttempt( $fieldVals )
{
$evilStrings = array(
'Content-Type: multipart/mixed;',
'Content-Type: text/plain;',
'boundary="',
'boundary=\\"',
'Content-Transfer-Encoding: 7bit',
"\nSubject: ",
'MIME-Version: ',
"\nbcc: ",
"\ncc: ",
"\nFrom: ",
"\nTo: ",
);

if (is_array($fieldVals) && count($fieldVals)) {
foreach ($evilStrings as $evilStr) {
foreach ($fieldVals as $k => $v) {
if (strstr($v, $evilStr) !== false) {
return true;
}
}
}
}

// nothing going on!
return false;
}

?>

any comments or improvements to this function are appreciated.

>
> Here is an example message
>
> [begin]
> == Name ==
>
> dtdegq@nonlethal.com
>
> == Agency ==
>
> dtdegq@nonlethal.com
> Content-Type: multipart/mixed; boundary="===============1815270735=="
> MIME-Version: 1.0
> Subject: a8f1a36a
> To: dtdegq@nonlethal.com
> bcc: mhkoch321@aol.com
> From: dtdegq@nonlethal.com
>
> This is a multi-part message in MIME format.
>
> --===============1815270735==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
>
> thgfxnes
> --===============1815270735==--
>
>
> == Email ==
>
> dtdegq@nonlethal.com
>
> == Comment ==
>
> dtdegq@nonlethal.com
> [end]
>
> It seems to me that the attemped exploit is unsuccessful because I
> cannot find "dtdegq" or "mhko321" in /var/log/maillog. But I wanted to
> send this to the list in case someone knows different.
>
>
> Thanks,
> Chris.
>

[Back to original message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация