You might want to look into installing mod security. With the right rules, this can be used to block certain types of malicious requests.
Forms are commonly exploited by including carriage returns and line feeds within a field followed by data such that the data is interpretted as being the cc and bcc fields for an email.
Rather than relying soley on mod security to block malicious http requests, I find it's always better to fix exploitable scripts, or at least fix them to the extent that a given exploit won't work.
If I find an exploited PHP script, I add the following code to help me investigate:
PHP Code:
while (list($key, $val) = each($_POST)) {
$sPostContents .= $key." = ".$value."\n";
}
mail("example@example.com", "Post values for ".$_SERVER['http_host'], $sPostContents);
reset($_POST);
If you place this as near to the top of the script as possible you can get the entire form contents, field names and values, emailed to you.
You can then study what values are being used in what fields. Once you've spotted a pattern you can then add conditions to the script to check for the patterns and stop such requests.
One of the obvious things to spot is that the value of exploited fields will often contain "Content-Type: multipart/" so that a multipart message (commonly HTML and plain text parts) will be sent. The HTML part will contain the spam, the plain text part will contain some random prose so as to confuse spam checkers.
Here is a piece of code I recently added to a user's script to deal with something along these lines:
PHP Code:
$sNneedle = "Content-Type: multipart/";
while (list($key, $val) = each($_POST)) {
if ($key != "message") {
if (substr_count($_POST[$key], $sNneedle)) {
mail("example@example.com", "Form exploit killed : ".$_SERVER['HTTP_REFERER'], $sPostContents);
exit();
}
}
}
reset($_POST);
You don't necessarily need to have it email you, but I find it helps keep track on who is doing what.
Relaying via PHP
LinkBack URL
About LinkBacks
Reply With Quote