The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

PHP mail header injections...

Discussion in 'E-mail Discussions' started by 4u123, Apr 3, 2006.

  1. 4u123

    4u123 Well-Known Member
    PartnerNOC

    Joined:
    Jan 2, 2006
    Messages:
    765
    Likes Received:
    1
    Trophy Points:
    18
    Hi folks,

    Despite using mod_security to try and stop the onslaught of spam being sent from contact forms, we are still getting lots of this happening. I know this threrad isnt specifically a cpanel issue but I think its relevent to the community here.

    We are using this....

    SecFilterSelective ARGS_VALUES "\n[[:space:]]*(to|bcc|cc)[[:space:]]*:.*@"

    But this has had no effect - I have an example of a form that was manipulated to send spam below - can anyone tell me how they sent spam using it and how we could defend against this ?


    PHP:
    <?
    // This is the begiinning of the PHP code

    #####################################################################
    #                                                                   #
    #              Contact Form Generator                               #
    #              by Robert Packer                                     #
    #              rob_packer@yahoo.com                                 #
    #              Don't forget to vote at hotscripts.com               #
    #              http://www.hotscripts.com/Detailed/30983.html        #
    #              I also subcontract larger projects                   #
    #                                                                   #
    #####################################################################

    $name     $_POST['name'];
    $address  $_POST['address'];
    $state    $_POST['state'];
    $city     $_POST['city'];
    $zip      $_POST['zip'];
    $country  $_POST['country'];
    $phone    $_POST['phone'];
    $email    $_POST['email'];
    $comments $_POST['comments'];
    $fax      $_POST['fax'];
    $error_msg "";
    $msg "";

    if(
    $name){
        
    $msg .= "Name: \t $name \n";
    }

    if(
    $city){
        
    $msg .= "City: \t $city \n";
    }

    if(
    $country){
        
    $msg .= "Country: \t $country \n";
    }

    if(!
    $email){
        
    $error_msg .= "Your email \n";
    }
    if(
    $email){
        if(!
    eregi("^[a-zA-Z0-9_\.\-]+@[a-zA-Z0-9\._\-]+\.[a-zA-Z]{2,4}"$email)){
            echo 
    "\n<br>That is not a valid email address.  Please <a href=\"javascript:history.back()\">return</a> to the previous page and try again.\n<br>";
            exit;
        }
        
    $msg .= "Email: \t $email \n";
    }

    if(
    $comments){
        
    $msg .= "Comments: \t $comments \n";
    }
    $sender_email="";

    if(!isset(
    $name)){
        if(
    $name == ""){
            
    $sender_name="Web Customer";
        }
    }else{
        
    $sender_name=$name;
    }
    if(!isset(
    $email)){
        if(
    $email == ""){
            
    $sender_email="Customer@website.com";
        }
    }else{
        
    $sender_email=$email;
    }
    if(
    $error_msg != ""){
        echo 
    "You didn't fill in these required fields:<br>"
        
    .nl2br($error_msg) .'<br>Please <a href="javascript:history.back()">return</a> to the previous page and try again.';
        exit;
    }
    $mailheaders  "MIME-Version: 1.0\r\n";
    $mailheaders .= "Content-type: text/plain; charset=iso-8859-1\r\n";
    $mailheaders .= "From: $sender_name <$sender_email>\r\n";
    $mailheaders .= "Reply-To: $sender_email <$sender_email>\r\n";
    mail("admin@highlandcathedral.org","Contact Form Email from Scottish Communists",stripslashes($msg), $mailheaders);
    mail("galloway_s@hotmail.com","Contact Form Email from Scottish Communists",stripslashes($msg), $mailheaders);
    echo 
    "<html>\n<head>\n<title>Thanks For Your Submission</title>\n</head>\n<body>\n<h2>Thank you for your feedback $name</h2>\n";echo '<b>This is the information you submitted</b>'."<br>\n";
    echo 
    nl2br(stripslashes($msg));
    echo 
    '<br><br><a href="/">Back to Home page</a></body></html>';
    //This is the end of the PHP code
    ?>
     
  2. webignition

    webignition Well-Known Member

    Joined:
    Jan 22, 2005
    Messages:
    1,880
    Likes Received:
    0
    Trophy Points:
    36
    I've noticed that one of the more common header injection techniques is to specify a Content-Type: header value in a form field.

    This results in the resulting spam message being a multipart message (most commonly containing a text/plain part and a text/html part). I imagine this is to try and confuse spam checkers by having meaningless but non-spammy content in the text/plain part and the spam payload in the text/html part.

    Consequently one way of checking for spam injection is to check for a Content-Type: style header value in form fields.

    Below are two functions I wrote just yesterday. The first, saneIs(), checks a given string for signs of header injection infection. The second, saneArray(), does the same but for a full array of values.

    The following:

    PHP:
    saneArray($_POST);
    will return true if all values are clean, otherwise it will return an array of indicies whose values are not clean.

    At present saneIs() only checks for the presence of 'Content-Type: multipart/*' in fields, but it's a start. When I spot more tricks to check for I'll add them.

    I have a number of PHP form handlers mailing me the exact contents of all submissions so that I can keep an eye out for bad behaviour and update saneIs() to identify them. If others can do the same, it will surely help to identify such behaviour more quickly.

    PHP:
        function saneIs($sVal)
        {
            
    // Checks for the presence of header injection techniques in form fields
            // Will return true if everything is OK, otherwise false
            
            // Checking for content-type
            // Spam injection techniques will try and include some form of multipart content-type
            
    $sContentType "/content-type:.?multipart\//i";
            if (
    preg_match($sContentType$sVal)) {
                return 
    false;
            }
            
            return 
    true;
        }
        
        function 
    saneArray($aUnclean)
        {
            
    // Checks all values in $aUnclean with saneIs()
            // Returns true of all the values in the array are clean
            // Returns an array of field indicies whose values are unclean
            
            
    $aInsane = array();
            
            while (list(
    $key$val) = each($aUnclean)) {
                if (!
    saneIs($val)) {
                    
    $aInsane[sizeof($aInsane)] = $key;
                }
            }
            
            if (
    sizeof($aInsane) >=1) {
                return 
    $aInsane;
            }
            
            return 
    true;        
        }
     
  3. 4u123

    4u123 Well-Known Member
    PartnerNOC

    Joined:
    Jan 2, 2006
    Messages:
    765
    Likes Received:
    1
    Trophy Points:
    18
    Hi,

    Although your php function looks very useful, form a server admin point of view its going to be very difficult to make all of our customers change the php in their forms.

    Ive seen a number of methods of checking the form data when it is being processed, some even log the IP of the sender if the vunerable fields are used and email it to root, the problem is that customers dont write these form processors and most of them wouldnt know how to make changes to them.

    We need a way of stopping this from happening server - wide.
     
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    The only way you're going to achieve that (server-wide "fix") is to disable the exploitable form to email scripts as you find them and have the users use secure scripts that properly check user input. Ultimately, it's shoddy scripting that's the cause and trying to fix it by any other means (including mod_security) is only putting a temporary fix in place where a permanent one is required - i.e. replace the script. If you're a web host, then you should make sure that your clients are aware that it is their responsibility to use secure scripts and like any other scripting requirement (like scripts that consume too much resources, compromised accounts, etc) your AUP should come into play.
     
  5. 4u123

    4u123 Well-Known Member
    PartnerNOC

    Joined:
    Jan 2, 2006
    Messages:
    765
    Likes Received:
    1
    Trophy Points:
    18
    I Agree with you chirpy and thats exactly what we are doing - but it seems with this issue a large percentage of php mail scripts are vunerable to this and realistically, customers have no idea what is secure code and what isnt - especially since the php mail function is operating as it should do in most cases.

    Currently, as you mention, we are having to wait for a spam complaint to come in before we take action which is obviousley not ideal.

    My purpose of writing this thread is to see if anyone could suggest any other options that would help alleviate this problem somewhat.
     
Loading...

Share This Page