Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Beware: spam injection

Discussion in 'General Discussion' started by panayot, Dec 3, 2005.

  1. panayot

    panayot Well-Known Member

    Joined:
    Nov 18, 2004
    Messages:
    126
    Likes Received:
    0
    Trophy Points:
    166
    Just caught a spammer exploiting one of my customers website contact form.

    Examples and prevention - see urls:

    http://securephp.damonkohler.com/index.php/Email_Injection

    http://www.gerd-riesselmann.net/archives/2005/09/sending-spam-through-contact-forms

    Just wonder now what I do? go and check hundreds of customer mail scripts if vulnerable? Does not sound encouraging :eek:

    Was thinking of smth like

    Code:
    grep -ir "from\s*:\s*[$]" /home/*
    or perhaps in mod_security check if form fields contain cc: or bcc: :confused:
    I am not very familiar with mod_security rulesets though.

    if someone has ideas on how to prevent this for all customers, please post :)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. panayot

    panayot Well-Known Member

    Joined:
    Nov 18, 2004
    Messages:
    126
    Likes Received:
    0
    Trophy Points:
    166
    Alright,

    I am so quick to answer myself :D

    mod_security:

    Code:
    #http://www.gotroot.com
    #see website for more information
    SecFilterSelective POST_PAYLOAD "Subject\:" chain
    SecFilterSelective ARG_Bcc ".*\@"
    SecFilterSelective POST_PAYLOAD "Subject\:" chain
    SecFilterSelective POST_PAYLOAD "\s*bcc\:"
    SecFilterSelective ARGS_VALUES "\n\s*bcc\:.*\@"
    taken from http://gotroot.com/tiki-index.php?page=mod_security+rules

    If I find something else helpful will post again (just in case someone else is reading my conversation :rolleyes: )
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. waiel

    waiel Member

    Joined:
    Nov 1, 2003
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    151
    Thanks
    it helpped me ^_^
     
  4. panayot

    panayot Well-Known Member

    Joined:
    Nov 18, 2004
    Messages:
    126
    Likes Received:
    0
    Trophy Points:
    166
    great :)

    I modified a little the example to include also to: and cc: fields, and to handle both GET and POST form methods. Here is my whole modsec.user.conf:

    Code:
    SecServerSignature "Apache"
    SecFilterScanPOST On
    
    # Require Content-Length to be provided with every POST request
    SecFilterSelective REQUEST_METHOD "^POST$" chain
    SecFilterSelective HTTP_Content-Length "^$"
    
    # Don't accept transfer encodings we know we don't handle (and you don't need it anyway)
    SecFilterSelective HTTP_Transfer-Encoding "!^$"
    
    SecFilterSelective ARGS_VALUES "[[:space:]](cc|bcc|to)[[:space:]]*\:.*\@"
    
    # Protecting from XSS attacks through the PHP session cookie
    SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
    SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"
    
    SecFilter "viewtopic\.php\?" chain
    SecFilter "chr\(([0-9]{1,3})\)"
    
    SecFilterSelective REQUEST_URI "(cd[[:space:]]+.+|echo[[:space:]]+.+|perl[[:space:]]+.+|python[[:space:]]+.+|rpm[[:space:]]+.+|lynx[[:space:]]+.+|links[[:space:]]+.+|mkdir[[:space:]]+.+|elinks[[:space:]]+.+|wget[[:space:]]+.+|(s|r)(cp|sh)[[:space:]]+.+|net(stat|cat)[[:space:]]+.+|rexec[[:space:]]+.+|smbclient[[:space:]]+.+|t?ftp[[:space:]]+.+|(nc)?ftp[[:space:]]+.+|curl[[:space:]]+.+|telnet[[:space:]]+.+|gcc\s+.+|cc[[:space:]]+.+|g\+\+[[:space:]]+.+|system\(|exec\(|uname[[:space:]]+-a|\.htgroup|\.htaccess|///cgi-bin|/cgi-bin///|/~root|/~ftp|/~nobody|<script)"
    
    SecFilter "javascript\://"
    SecFilter "_PHPLIB\[libdir\]"
    
    SecFilterSelective THE_REQUEST "/htgrep" chain
    SecFilter "hdr=/"
    The line for the mail injections is
    Code:
    SecFilterSelective ARGS_VALUES "[[:space:]](cc|bcc|to)[[:space:]]*\:.*\@"
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice