PHP mail header injections...

4u123 · Apr 3, 2006

Hi folks,

Despite using mod_security to try and stop the onslaught of spam being sent from contact forms, we are still getting lots of this happening. I know this threrad isnt specifically a cpanel issue but I think its relevent to the community here.

We are using this....

SecFilterSelective ARGS_VALUES "\n[[:space:]]*(to|bcc|cc)[[:space:]]*:.*@"

But this has had no effect - I have an example of a form that was manipulated to send spam below - can anyone tell me how they sent spam using it and how we could defend against this ?

PHP:

<? // This is the begiinning of the PHP code ##################################################################### # # # Contact Form Generator # # by Robert Packer # # rob_packer@yahoo.com # # Don't forget to vote at hotscripts.com # # http://www.hotscripts.com/Detailed/30983.html # # I also subcontract larger projects # # # ##################################################################### $name = $_POST['name']; $address = $_POST['address']; $state = $_POST['state']; $city = $_POST['city']; $zip = $_POST['zip']; $country = $_POST['country']; $phone = $_POST['phone']; $email = $_POST['email']; $comments = $_POST['comments']; $fax = $_POST['fax']; $error_msg = ""; $msg = ""; if($name){ $msg .= "Name: \t $name \n"; } if($city){ $msg .= "City: \t $city \n"; } if($country){ $msg .= "Country: \t $country \n"; } if(!$email){ $error_msg .= "Your email \n"; } if($email){ if(!eregi("^[a-zA-Z0-9_\.\-]+@[a-zA-Z0-9\._\-]+\.[a-zA-Z]{2,4}", $email)){ echo "\n<br>That is not a valid email address. Please <a href=\"javascript:history.back()\">return</a> to the previous page and try again.\n<br>"; exit; } $msg .= "Email: \t $email \n"; } if($comments){ $msg .= "Comments: \t $comments \n"; } $sender_email=""; if(!isset($name)){ if($name == ""){ $sender_name="Web Customer"; } }else{ $sender_name=$name; } if(!isset($email)){ if($email == ""){ $sender_email="Customer@website.com"; } }else{ $sender_email=$email; } if($error_msg != ""){ echo "You didn't fill in these required fields:<br>" .nl2br($error_msg) .'<br>Please <a href="javascript:history.back()">return</a> to the previous page and try again.'; exit; } $mailheaders = "MIME-Version: 1.0\r\n"; $mailheaders .= "Content-type: text/plain; charset=iso-8859-1\r\n"; $mailheaders .= "From: $sender_name <$sender_email>\r\n"; $mailheaders .= "Reply-To: $sender_email <$sender_email>\r\n"; mail("admin@highlandcathedral.org","Contact Form Email from Scottish Communists",stripslashes($msg), $mailheaders); mail("galloway_s@hotmail.com","Contact Form Email from Scottish Communists",stripslashes($msg), $mailheaders); echo "<html>\n<head>\n<title>Thanks For Your Submission</title>\n</head>\n<body>\n<h2>Thank you for your feedback $name</h2>\n";echo '<b>This is the information you submitted</b>'."<br>\n"; echo nl2br(stripslashes($msg)); echo '<br><br><a href="/">Back to Home page</a></body></html>'; //This is the end of the PHP code ?>

webignition · Apr 3, 2006

I've noticed that one of the more common header injection techniques is to specify a Content-Type: header value in a form field.

This results in the resulting spam message being a multipart message (most commonly containing a text/plain part and a text/html part). I imagine this is to try and confuse spam checkers by having meaningless but non-spammy content in the text/plain part and the spam payload in the text/html part.

Consequently one way of checking for spam injection is to check for a Content-Type: style header value in form fields.

Below are two functions I wrote just yesterday. The first, saneIs(), checks a given string for signs of header injection infection. The second, saneArray(), does the same but for a full array of values.

The following:

PHP:

saneArray($_POST);

will return true if all values are clean, otherwise it will return an array of indicies whose values are not clean.

At present saneIs() only checks for the presence of 'Content-Type: multipart/*' in fields, but it's a start. When I spot more tricks to check for I'll add them.

I have a number of PHP form handlers mailing me the exact contents of all submissions so that I can keep an eye out for bad behaviour and update saneIs() to identify them. If others can do the same, it will surely help to identify such behaviour more quickly.

PHP:

function saneIs($sVal) { // Checks for the presence of header injection techniques in form fields // Will return true if everything is OK, otherwise false // Checking for content-type // Spam injection techniques will try and include some form of multipart content-type $sContentType = "/content-type:.?multipart\//i"; if (preg_match($sContentType, $sVal)) { return false; } return true; } function saneArray($aUnclean) { // Checks all values in $aUnclean with saneIs() // Returns true of all the values in the array are clean // Returns an array of field indicies whose values are unclean $aInsane = array(); while (list($key, $val) = each($aUnclean)) { if (!saneIs($val)) { $aInsane[sizeof($aInsane)] = $key; } } if (sizeof($aInsane) >=1) { return $aInsane; } return true; }

4u123 · Apr 3, 2006

Hi,

Although your php function looks very useful, form a server admin point of view its going to be very difficult to make all of our customers change the php in their forms.

Ive seen a number of methods of checking the form data when it is being processed, some even log the IP of the sender if the vunerable fields are used and email it to root, the problem is that customers dont write these form processors and most of them wouldnt know how to make changes to them.

We need a way of stopping this from happening server - wide.

chirpy · Apr 3, 2006

The only way you're going to achieve that (server-wide "fix") is to disable the exploitable form to email scripts as you find them and have the users use secure scripts that properly check user input. Ultimately, it's shoddy scripting that's the cause and trying to fix it by any other means (including mod_security) is only putting a temporary fix in place where a permanent one is required - i.e. replace the script. If you're a web host, then you should make sure that your clients are aware that it is their responsibility to use secure scripts and like any other scripting requirement (like scripts that consume too much resources, compromised accounts, etc) your AUP should come into play.

4u123 · Apr 3, 2006

I Agree with you chirpy and thats exactly what we are doing - but it seems with this issue a large percentage of php mail scripts are vunerable to this and realistically, customers have no idea what is secure code and what isnt - especially since the php mail function is operating as it should do in most cases.

Currently, as you mention, we are having to wait for a spam complaint to come in before we take action which is obviousley not ideal.

My purpose of writing this thread is to see if anyone could suggest any other options that would help alleviate this problem somewhat.

Forums

The Community Forums

Interact with an entire community of cPanel & WHM users!

PHP mail header injections...

4u123 Well-Known Member
PartnerNOC

webignition Well-Known Member

4u123 Well-Known Member
PartnerNOC

chirpy Well-Known Member

4u123 Well-Known Member
PartnerNOC

X-Get-Message-Sender-Via header in email

Email received without any headers at all

Rewrite header to match actual sender for the incoming emails

Remove info from email headers

MailHeaders patch with EA4

Share This Page

Useful Searches

The Community Forums

Interact with an entire community of cPanel & WHM users!

PHP mail header injections...

4u123 Well-Known Member PartnerNOC

webignition Well-Known Member

4u123 Well-Known Member PartnerNOC

chirpy Well-Known Member

4u123 Well-Known Member PartnerNOC

X-Get-Message-Sender-Via header in email

Email received without any headers at all

Rewrite header to match actual sender for the incoming emails

Remove info from email headers

MailHeaders patch with EA4

Share This Page

4u123 Well-Known Member
PartnerNOC

4u123 Well-Known Member
PartnerNOC

4u123 Well-Known Member
PartnerNOC