SPAM sent from php contact form...

**fred123123** · 09-22-2005 04:53 PM

Hi,

I stopped just in time a possible vulnerability in one of my user scripts... that could make my server a SPAM sender

Here's the script:

PHP Code:


      <?



       $msg = "subject:\t$subject\n";

       $msg .= "name:\t$name\n";

       $msg .= "name2:\t$name2\n\n";

       $msg .= "company:\t$company\n";

       $msg .= "telephone:\t$telephone\n";

       $msg .= "fax:\t$fax\n\n";

       $msg .= "email:\t$email\n";

       $msg .= "url:\t$url\n";

       $msg .= "message:\t$message\n\n";



       $recipient = "customer_email@hotmail.com";

       $subject = "Form";



       $mailheaders = "From: formulaire user<contact@domain.com> \n";

       $mailheaders .= "Reply-To: $email\n\n";

      

       mail($recipient, $subject, $msg, $mailheaders);



       

       ?>

A bot(or someone) attacked the script today...
I saw a lot of email sent from nobody@(my webserver user) and going to the my customer email and having the subject "Contact form domain.com".
BUT one of these emails was sent to another email using bcc: mhkoch321@aol.com

i looked at the script... but didn't understand how the bot was able to send an email to a bcc... i tried a lot of things... and finally i found it:
$mailheaders .= "Reply-To: $email\n\n";

$email is not checked before it was used... The customer told me the worst he's expected was to receive some junk in HIS mailbox

So, the spammer was able to insert new mail headers ... Here's the $email value he used:

PHP Code:


email:    bfqngspb@domain.com

Content-Type: multipart/mixed; boundary=\"===============0452749181==\"

MIME-Version: 1.0

Subject: 1f0d01d8

To: bfqngspb@domain.com

bcc: mhkoch321@aol.com

From: bfqngspb@domain.com



This is a multi-part message in MIME format.



--===============0452749181==

Content-Type: text/plain; charset=\"us-ascii\"

MIME-Version: 1.0

Content-Transfer-Encoding: 7bit



qoevyurk

--===============0452749181==--

I just want to warn you... so you can check your customers script or at least be able to avoid the problem...

**ramprage** · 09-27-2005 08:57 AM

Thanks for sharing, always check your variables.

Check the variable length as well

**serversphere** · 09-27-2005 10:01 AM

This has been going on ALOT lately, so admins should be advised to check for insecure mailer scripts. Don't ignore those emails that warn you about recently uploaded mail scripts! A workaround for this would be to eliminate any CR/LF chars from your form data before sending your mail out.

**shacker23** · 10-06-2005 01:51 AM

Another useful technique is to make sure you have a referrer variable in the environment, so that calling the script directly without clicking through to the mail form causes it to fail. Put this at the top of your script:

$referrer = $_SERVER['HTTP_REFERER'];
if ($referrer=="") {
exit;
}

Note that the form can no longer be used if accessed via bookmark!

You could probably be even more specific and make sure the referrer belongs to the same domain, which would make it harder to satisfy the condition remotely.

**webignition** · 10-06-2005 02:03 AM

I find the easiest way is to set a session variable in the PHP script that generates a given form. The PHP script to which data is posted then checks that the session variable is set and correct. If not, it just redirects back to the PHP script that generates the form.

This seems to quite suitably prevent people from posting directly to the form-accepting script and is decently user friendly for those who access the form-accepting script by mistake.

Using a session variable like this may be a little more robust as the http_referrer can be spoofed very easily.

**Earendil** · 11-19-2005 11:51 AM

Isn't there a mod_security rule for this.. ?

**SpringChicken** · 11-21-2005 03:06 PM

Can someone PLEASE PLEASE PLEASE post a simple solution for this ?

form.php & mail.php OR both in one.

I WOULD BE EVER SO GRATEFUL

**web12** · 11-21-2005 10:31 PM

Me too

this has become a problem again recently.

Any tips would be appreciated.

**nat** · 11-21-2005 10:36 PM

Over the past several days I have disabled at least over 50 scripts being used to send spam mostly to aol. All of the scripts are php scripts and are different types of php scripts. (so it isn't just one type of form-to-email script where a flaw has been discovered - it seems to be nearly all php form-to-email scripts.)

**jackie46** · 11-21-2005 11:06 PM

Originally Posted by SpringChicken

Can someone PLEASE PLEASE PLEASE post a simple solution for this ?

form.php & mail.php OR both in one.

I WOULD BE EVER SO GRATEFUL

mod_security!

**xisn** · 11-22-2005 12:05 AM

I too have seen this on many of my customer accounts so I went in and secured most of them by using Cookies and sessions...

Now of course you will want to tailor these pages to meet your needs, I also left out the JavaScript to validate the form however, once I put these pages in place, it brought it to a screeching hault..

File Name: contact.php - This page just sets the Cookie and Session and provides the form for the users, if you don't have a session and cookie, the next page just bounces you out...

PHP Code:


<?php

$value = 'THE_Contact';

//clear session variables

session_unset();



//prevents caching

setcookie("THE_Cookie", $value);

header ("Expires: Mon, 26 Jul 2001 05:00:00 GMT");          // Date in the past

header ("Last-Modified: ".gmdate("D, d M Y H:i:s")." GMT"); // Always modified

header ("Cache-Control: no-cache, must-revalidate");        // HTTP/1.1 Protocol

header ("Pragma: no-cache");

session_cache_limiter();



session_start();

$_SESSION['SSID'] = session_id();



$topheader="contact";

?>

Code:

<form name="frm_1" action="contacts.php" method="POST" onSubmit='return PostSearchForm();'>
<input type="hidden" name="SSID" value="<?= $_SESSION['SSID']; ?>">
<table cellpadding="4" cellspacing="0" border="0">
<tr> 
<td><b>First Name:</b></td>
<td width="7px"></td>
<td><input class="inputbox" type="TEXT" name="fname" maxlength="40"></td>
</tr>
<tr> 
<td><b>Last Name:</b></td>
<td width="7px"></td>
<td><input class="inputbox" type="TEXT" name="lname" maxlength="40"></td>
</tr>
<tr> 
<td><b>Email address:</b></td>
<td width="7px"></td>
<td><input class="inputbox" type="TEXT" name="cemail" maxlength="100"></td>
</tr>
<tr> 
<td><b>Company:</b></td>
<td width="7px"></td>
<td><input class="inputbox" type="TEXT" name="cname" maxlength="100"></td>
</tr>
<tr> 
<td><b>Telephone Number:</b></td>
<td width="7px"></td>
<td><input class="inputbox" type="TEXT" name="telno" maxlength="100"></td>
</tr>
<tr> 
<td><b>Subject:</b></td>
<td width="7px"></td>
<td><input class="inputbox" type="TEXT" name="csubject" maxlength="60" value=""></td>
</tr>
<tr> 
<td valign="TOP"><b>Message:</b><br></td>
<td width="7px"></td>
<td> </td>
</tr>
<tr> 
<td valign="TOP" colspan="3"><textarea class="inputbox" wrap="physical" rows="5" cols="35" name="comments" maxlength="1000"></textarea> </td>
</tr>
<tr> 
<td></td>
<td width="7px"></td>
<td>
<p><input type="image" border="0" value="submit" src="images/submit.gif">&nbsp;&nbsp;<a href="javascript:document.frm_1.reset();"><img border="0" src="images/clear.gif"></a><input type="hidden" name="action" value="submit"></p>
</td>
</tr>
</table>
</form>

And then next is the reciever page...

File Name: contacts.php - This page captures the Cookie and the session, if it sees it, it deletes it! This prevents the bots and others from resubmitting over and over again. This also checks to make sure it came from a valid referrer (your server) and not a bot....

PHP Code:


<?php

if (!isset($_SESSION['count'])) {

   $_SESSION['count'] = 0;

} else {

   $_SESSION['count']++;

}



if ($_SESSION['count'] >0){

    include ('index.php');

    //echo 'Session Count too High';

    exit;

}



if($_GET['SSID'] == $_SESSION['SSID']){

    //Do Nothing

} else {

    include ('index.php');

    //echo 'No SSID';

    exit;

}



if (isset($_COOKIE['THE_Cookie'])){

    $cookiesSet = array_keys($_COOKIE);

    for ($x=0;$x<count($cookiesSet);$x++) setcookie($cookiesSet[$x],"",time()-1);

} else {

    include ('index.php');

    //echo 'Cookie not set';

    exit;

}



// ------- variables you MUST change below  -------------------------------------------------------

$valid_ref1="http://yourdomain.com/contact.php";// change "yourdomain" to your domain

$valid_ref2="http://www.yourdomain.com/contact.php";// change "WWW.yourdomain" to your domain

$replyemail="admin@yourdomain.com";//change to your email address

$name = $fname . ' ' . $lname;



if ($REMOTE_ADDR == "") $ip = "no ip";

else $ip = getHostByAddr($REMOTE_ADDR);

$date = date("Y-m-d H:i:s");



// ------- optional text you can change below -----------------------------------------------------

$error_msg='ERROR - not sent. Try again.';



$success_sent_msg='<p align="center"><strong>&nbsp;</strong></p>

                   <p align="center"><strong>Your message has been successfully sent to us<br>

                   </strong> and we will reply as soon as possible.</p>

                   <p align="center">A copy and of your query has been sent to you.</p>

                   <p align="center">Thank you for contacting us.</p>';



$replymessage = "Hi $name



Thank you for your email.



We will reply to you shortly using the email address you provided ( $cemail ).



Please DO NOT reply to this email.



Below is a copy of the message you submitted:

--------------------------------------------------

Subject: $csubject



--------------------------------------------------

Message:

$comments



--------------------------------------------------



Thank you



The THE Management";



// ----------no more changes required below here --------------------------------------------------



// email variable not set - load $valid_ref1 page

if (!isset($HTTP_POST_VARS['cemail']))

{

 echo "<script language=\"JavaScript\"><!--\n ";

 echo "top.location.href = \"$valid_ref1\"; \n// --></script>";

 exit;

}

$ref_page=$_SERVER["HTTP_REFERER"];

$valid_referrer=0;

if($ref_page==$valid_ref1) $valid_referrer=1;

elseif($ref_page==$valid_ref2) $valid_referrer=1;

if(!$valid_referrer)

{

 echo "<script language=\"JavaScript\"><!--\n alert(\"$error_msg\");\n";

 echo "top.location.href = \"$valid_ref1\"; \n// --></script>";

 exit;

}

$themessage = "A visitor at has left the following information\n

Name: $name

Company Name: $cname

Phone Number: $telno



The visitor commented:

------------------------------

Subject: $csubject\n



$comments



Logged Info :

------------------------------

Using: $HTTP_USER_AGENT

Hostname: $ip

IP address: $REMOTE_ADDR

Date/Time:  $date";



mail("$replyemail",

     "$query_relates_to: $csubject",

     "$themessage",

     "From: $cemail\nReply-To: $cemail");

mail("$cemail",

     "Receipt: $csubject",

     "$replymessage",

     "From: $replyemail\nReply-To: $replyemail");

?>



<?php echo $success_sent_msg; ?>

Good luck!

-xisn

**Earendil** · 11-22-2005 02:25 AM

Originally Posted by Earendil

Isn't there a mod_security rule for this.. ?

Originally Posted by jackie46

mod_security!

Mind sharing this rule you're using?

**jackie46** · 11-22-2005 02:28 AM

You can do a search for mod security on this forum.

**Earendil** · 11-22-2005 02:37 AM

Originally Posted by jackie46

You can do a search for mod security on this forum.

Oddly enough I didn't find it on a prior search, guess it must've been wrong keywords.
For everyone else: http://forums.cpanel.net/showthread.php?t=46608

**web12** · 11-22-2005 02:39 AM

Here it is on this page for those still looking:-
http://forums.cpanel.net/showthread....&highlight=bcc

LinkBack

Thread Tools

SPAM sent from php contact form...

Please post a secure solution

ok, here is a sample... Hope this helps!

Contact Form PHP script problem

Need help with Contact form

PHP Contact Form

Contact Us form hijacked?