Beware: spam injection

[panayot]

Just caught a spammer exploiting one of my customers website contact form.

Examples and prevention - see urls:

http://securephp.damonkohler.com/ind...mail_Injection

http://www.gerd-riesselmann.net/arch...-contact-forms

Just wonder now what I do? go and check hundreds of customer mail scripts if vulnerable? Does not sound encouraging

Was thinking of smth like

Code:

grep -ir "from\s*:\s*[$]" /home/*

or perhaps in mod_security check if form fields contain cc: or bcc:
I am not very familiar with mod_security rulesets though.

if someone has ideas on how to prevent this for all customers, please post

[panayot]

Alright,

I am so quick to answer myself

mod_security:

Code:

#http://www.gotroot.com
#see website for more information
SecFilterSelective POST_PAYLOAD "Subject\:" chain
SecFilterSelective ARG_Bcc ".*\@"
SecFilterSelective POST_PAYLOAD "Subject\:" chain
SecFilterSelective POST_PAYLOAD "\s*bcc\:"
SecFilterSelective ARGS_VALUES "\n\s*bcc\:.*\@"

taken from http://gotroot.com/tiki-index.php?pa...security+rules

If I find something else helpful will post again (just in case someone else is reading my conversation )

[waiel]

Thanks
it helpped me ^_^

[panayot]

great

I modified a little the example to include also to: and cc: fields, and to handle both GET and POST form methods. Here is my whole modsec.user.conf:

Code:

SecServerSignature "Apache"
SecFilterScanPOST On

# Require Content-Length to be provided with every POST request
SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"

# Don't accept transfer encodings we know we don't handle (and you don't need it anyway)
SecFilterSelective HTTP_Transfer-Encoding "!^$"

SecFilterSelective ARGS_VALUES "[[:space:]](cc|bcc|to)[[:space:]]*\:.*\@"

# Protecting from XSS attacks through the PHP session cookie
SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"

SecFilter "viewtopic\.php\?" chain
SecFilter "chr\(([0-9]{1,3})\)"

SecFilterSelective REQUEST_URI "(cd[[:space:]]+.+|echo[[:space:]]+.+|perl[[:space:]]+.+|python[[:space:]]+.+|rpm[[:space:]]+.+|lynx[[:space:]]+.+|links[[:space:]]+.+|mkdir[[:space:]]+.+|elinks[[:space:]]+.+|wget[[:space:]]+.+|(s|r)(cp|sh)[[:space:]]+.+|net(stat|cat)[[:space:]]+.+|rexec[[:space:]]+.+|smbclient[[:space:]]+.+|t?ftp[[:space:]]+.+|(nc)?ftp[[:space:]]+.+|curl[[:space:]]+.+|telnet[[:space:]]+.+|gcc\s+.+|cc[[:space:]]+.+|g\+\+[[:space:]]+.+|system\(|exec\(|uname[[:space:]]+-a|\.htgroup|\.htaccess|///cgi-bin|/cgi-bin///|/~root|/~ftp|/~nobody|<script)"

SecFilter "javascript\://"
SecFilter "_PHPLIB\[libdir\]"

SecFilterSelective THE_REQUEST "/htgrep" chain
SecFilter "hdr=/"

The line for the mail injections is

Code:

SecFilterSelective ARGS_VALUES "[[:space:]](cc|bcc|to)[[:space:]]*\:.*\@"