The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Beware: spam injection

Discussion in 'General Discussion' started by panayot, Dec 3, 2005.

  1. panayot

    panayot Well-Known Member

    Joined:
    Nov 18, 2004
    Messages:
    125
    Likes Received:
    0
    Trophy Points:
    16
    Just caught a spammer exploiting one of my customers website contact form.

    Examples and prevention - see urls:

    http://securephp.damonkohler.com/index.php/Email_Injection

    http://www.gerd-riesselmann.net/archives/2005/09/sending-spam-through-contact-forms

    Just wonder now what I do? go and check hundreds of customer mail scripts if vulnerable? Does not sound encouraging :eek:

    Was thinking of smth like

    Code:
    grep -ir "from\s*:\s*[$]" /home/*
    or perhaps in mod_security check if form fields contain cc: or bcc: :confused:
    I am not very familiar with mod_security rulesets though.

    if someone has ideas on how to prevent this for all customers, please post :)
     
  2. panayot

    panayot Well-Known Member

    Joined:
    Nov 18, 2004
    Messages:
    125
    Likes Received:
    0
    Trophy Points:
    16
    Alright,

    I am so quick to answer myself :D

    mod_security:

    Code:
    #http://www.gotroot.com
    #see website for more information
    SecFilterSelective POST_PAYLOAD "Subject\:" chain
    SecFilterSelective ARG_Bcc ".*\@"
    SecFilterSelective POST_PAYLOAD "Subject\:" chain
    SecFilterSelective POST_PAYLOAD "\s*bcc\:"
    SecFilterSelective ARGS_VALUES "\n\s*bcc\:.*\@"
    taken from http://gotroot.com/tiki-index.php?page=mod_security+rules

    If I find something else helpful will post again (just in case someone else is reading my conversation :rolleyes: )
     
  3. waiel

    waiel Member

    Joined:
    Nov 1, 2003
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Thanks
    it helpped me ^_^
     
  4. panayot

    panayot Well-Known Member

    Joined:
    Nov 18, 2004
    Messages:
    125
    Likes Received:
    0
    Trophy Points:
    16
    great :)

    I modified a little the example to include also to: and cc: fields, and to handle both GET and POST form methods. Here is my whole modsec.user.conf:

    Code:
    SecServerSignature "Apache"
    SecFilterScanPOST On
    
    # Require Content-Length to be provided with every POST request
    SecFilterSelective REQUEST_METHOD "^POST$" chain
    SecFilterSelective HTTP_Content-Length "^$"
    
    # Don't accept transfer encodings we know we don't handle (and you don't need it anyway)
    SecFilterSelective HTTP_Transfer-Encoding "!^$"
    
    SecFilterSelective ARGS_VALUES "[[:space:]](cc|bcc|to)[[:space:]]*\:.*\@"
    
    # Protecting from XSS attacks through the PHP session cookie
    SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
    SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"
    
    SecFilter "viewtopic\.php\?" chain
    SecFilter "chr\(([0-9]{1,3})\)"
    
    SecFilterSelective REQUEST_URI "(cd[[:space:]]+.+|echo[[:space:]]+.+|perl[[:space:]]+.+|python[[:space:]]+.+|rpm[[:space:]]+.+|lynx[[:space:]]+.+|links[[:space:]]+.+|mkdir[[:space:]]+.+|elinks[[:space:]]+.+|wget[[:space:]]+.+|(s|r)(cp|sh)[[:space:]]+.+|net(stat|cat)[[:space:]]+.+|rexec[[:space:]]+.+|smbclient[[:space:]]+.+|t?ftp[[:space:]]+.+|(nc)?ftp[[:space:]]+.+|curl[[:space:]]+.+|telnet[[:space:]]+.+|gcc\s+.+|cc[[:space:]]+.+|g\+\+[[:space:]]+.+|system\(|exec\(|uname[[:space:]]+-a|\.htgroup|\.htaccess|///cgi-bin|/cgi-bin///|/~root|/~ftp|/~nobody|<script)"
    
    SecFilter "javascript\://"
    SecFilter "_PHPLIB\[libdir\]"
    
    SecFilterSelective THE_REQUEST "/htgrep" chain
    SecFilter "hdr=/"
    The line for the mail injections is
    Code:
    SecFilterSelective ARGS_VALUES "[[:space:]](cc|bcc|to)[[:space:]]*\:.*\@"
     
Loading...

Share This Page