Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

PHP mail header injections...

Discussion in 'E-mail Discussion' started by 4u123, Apr 3, 2006.

  1. 4u123

    4u123 Well-Known Member
    PartnerNOC

    Joined:
    Jan 2, 2006
    Messages:
    836
    Likes Received:
    13
    Trophy Points:
    168
    Hi folks,

    Despite using mod_security to try and stop the onslaught of spam being sent from contact forms, we are still getting lots of this happening. I know this threrad isnt specifically a cpanel issue but I think its relevent to the community here.

    We are using this....

    SecFilterSelective ARGS_VALUES "\n[[:space:]]*(to|bcc|cc)[[:space:]]*:.*@"

    But this has had no effect - I have an example of a form that was manipulated to send spam below - can anyone tell me how they sent spam using it and how we could defend against this ?


    PHP:
    <?
    // This is the begiinning of the PHP code

    #####################################################################
    #                                                                   #
    #              Contact Form Generator                               #
    #              by Robert Packer                                     #
    #              rob_packer@yahoo.com                                 #
    #              Don't forget to vote at hotscripts.com               #
    #              http://www.hotscripts.com/Detailed/30983.html        #
    #              I also subcontract larger projects                   #
    #                                                                   #
    #####################################################################

    $name     $_POST['name'];
    $address  $_POST['address'];
    $state    $_POST['state'];
    $city     $_POST['city'];
    $zip      $_POST['zip'];
    $country  $_POST['country'];
    $phone    $_POST['phone'];
    $email    $_POST['email'];
    $comments $_POST['comments'];
    $fax      $_POST['fax'];
    $error_msg "";
    $msg "";

    if(    $name){
            $msg .= "Name: \t $name \n";
    }

    if(    $city){
            $msg .= "City: \t $city \n";
    }

    if(    $country){
            $msg .= "Country: \t $country \n";
    }

    if(!    $email){
            $error_msg .= "Your email \n";
    }
    if(    $email){
        if(!    eregi("^[a-zA-Z0-9_\.\-]+@[a-zA-Z0-9\._\-]+\.[a-zA-Z]{2,4}"$email)){
            echo     "\n<br>That is not a valid email address.  Please <a href=\"javascript:history.back()\">return</a> to the previous page and try again.\n<br>";
            exit;
        }
            $msg .= "Email: \t $email \n";
    }

    if(    $comments){
            $msg .= "Comments: \t $comments \n";
    }
    $sender_email="";

    if(!isset(    $name)){
        if(    $name == ""){
                $sender_name="Web Customer";
        }
    }else{
            $sender_name=$name;
    }
    if(!isset(    $email)){
        if(    $email == ""){
                $sender_email="Customer@website.com";
        }
    }else{
            $sender_email=$email;
    }
    if(    $error_msg != ""){
        echo     "You didn't fill in these required fields:<br>"
            .nl2br($error_msg) .'<br>Please <a href="javascript:history.back()">return</a> to the previous page and try again.';
        exit;
    }
    $mailheaders  "MIME-Version: 1.0\r\n";
    $mailheaders .= "Content-type: text/plain; charset=iso-8859-1\r\n";
    $mailheaders .= "From: $sender_name <$sender_email>\r\n";
    $mailheaders .= "Reply-To: $sender_email <$sender_email>\r\n";
    mail("admin@highlandcathedral.org","Contact Form Email from Scottish Communists",stripslashes($msg), $mailheaders);
    mail("galloway_s@hotmail.com","Contact Form Email from Scottish Communists",stripslashes($msg), $mailheaders);
    echo     "<html>\n<head>\n<title>Thanks For Your Submission</title>\n</head>\n<body>\n<h2>Thank you for your feedback $name</h2>\n";echo '<b>This is the information you submitted</b>'."<br>\n";
    echo     nl2br(stripslashes($msg));
    echo     '<br><br><a href="/">Back to Home page</a></body></html>';
    //This is the end of the PHP code
    ?>
     
    #1 4u123, Apr 3, 2006
  2. webignition

    webignition Well-Known Member

    Joined:
    Jan 22, 2005
    Messages:
    1,880
    Likes Received:
    0
    Trophy Points:
    166
    I've noticed that one of the more common header injection techniques is to specify a Content-Type: header value in a form field.

    This results in the resulting spam message being a multipart message (most commonly containing a text/plain part and a text/html part). I imagine this is to try and confuse spam checkers by having meaningless but non-spammy content in the text/plain part and the spam payload in the text/html part.

    Consequently one way of checking for spam injection is to check for a Content-Type: style header value in form fields.

    Below are two functions I wrote just yesterday. The first, saneIs(), checks a given string for signs of header injection infection. The second, saneArray(), does the same but for a full array of values.

    The following:

    PHP:
    saneArray($_POST);
    will return true if all values are clean, otherwise it will return an array of indicies whose values are not clean.

    At present saneIs() only checks for the presence of 'Content-Type: multipart/*' in fields, but it's a start. When I spot more tricks to check for I'll add them.

    I have a number of PHP form handlers mailing me the exact contents of all submissions so that I can keep an eye out for bad behaviour and update saneIs() to identify them. If others can do the same, it will surely help to identify such behaviour more quickly.

    PHP:
        function saneIs($sVal)
        {
                // Checks for the presence of header injection techniques in form fields
            // Will return true if everything is OK, otherwise false
            
            // Checking for content-type
            // Spam injection techniques will try and include some form of multipart content-type
                $sContentType "/content-type:.?multipart\//i";
            if (    preg_match($sContentType$sVal)) {
                return     false;
            }
            
            return     true;
        }
        
        function     saneArray($aUnclean)
        {
                // Checks all values in $aUnclean with saneIs()
            // Returns true of all the values in the array are clean
            // Returns an array of field indicies whose values are unclean
            
                $aInsane = array();
            
            while (list(    $key$val) = each($aUnclean)) {
                if (!    saneIs($val)) {
                        $aInsane[sizeof($aInsane)] = $key;
                }
            }
            
            if (    sizeof($aInsane) >=1) {
                return     $aInsane;
            }
            
            return     true;        
        }
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #2 webignition, Apr 3, 2006
  3. 4u123

    4u123 Well-Known Member
    PartnerNOC

    Joined:
    Jan 2, 2006
    Messages:
    836
    Likes Received:
    13
    Trophy Points:
    168
    Hi,

    Although your php function looks very useful, form a server admin point of view its going to be very difficult to make all of our customers change the php in their forms.

    Ive seen a number of methods of checking the form data when it is being processed, some even log the IP of the sender if the vunerable fields are used and email it to root, the problem is that customers dont write these form processors and most of them wouldnt know how to make changes to them.

    We need a way of stopping this from happening server - wide.
     
    #3 4u123, Apr 3, 2006
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,470
    Likes Received:
    21
    Trophy Points:
    463
    Location:
    Go on, have a guess
    The only way you're going to achieve that (server-wide "fix") is to disable the exploitable form to email scripts as you find them and have the users use secure scripts that properly check user input. Ultimately, it's shoddy scripting that's the cause and trying to fix it by any other means (including mod_security) is only putting a temporary fix in place where a permanent one is required - i.e. replace the script. If you're a web host, then you should make sure that your clients are aware that it is their responsibility to use secure scripts and like any other scripting requirement (like scripts that consume too much resources, compromised accounts, etc) your AUP should come into play.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #4 chirpy, Apr 3, 2006
  5. 4u123

    4u123 Well-Known Member
    PartnerNOC

    Joined:
    Jan 2, 2006
    Messages:
    836
    Likes Received:
    13
    Trophy Points:
    168
    I Agree with you chirpy and thats exactly what we are doing - but it seems with this issue a large percentage of php mail scripts are vunerable to this and realistically, customers have no idea what is secure code and what isnt - especially since the php mail function is operating as it should do in most cases.

    Currently, as you mention, we are having to wait for a spam complaint to come in before we take action which is obviousley not ideal.

    My purpose of writing this thread is to see if anyone could suggest any other options that would help alleviate this problem somewhat.
     
    #5 4u123, Apr 3, 2006
(You must log in or sign up to post here.)
Loading...
Similar Threads - mail header injections
  1. kishan giri

    Change email header from primary hostname to domain name?

    kishan giri, May 20, 2018, in forum: E-mail Discussion
    Replies:
    3
    Views:
    96
    cPanelLauren
    May 21, 2018
  2. toplisek

    X-Get-Message-Sender-Via header in email

    toplisek, Dec 8, 2017, in forum: E-mail Discussion
    Replies:
    14
    Views:
    700
    cPanelMichael
    Feb 20, 2018
  3. Frankc

    Email received without any headers at all

    Frankc, Dec 1, 2017, in forum: E-mail Discussion
    Replies:
    2
    Views:
    176
    Frankc
    Dec 6, 2017
  4. amjad.q

    Rewrite header to match actual sender for the incoming emails

    amjad.q, Nov 27, 2017, in forum: E-mail Discussion
    Replies:
    11
    Views:
    527
    cPanelMichael
    Dec 8, 2017
  5. tdot

    Remove info from email headers

    tdot, Nov 21, 2017, in forum: E-mail Discussion
    Replies:
    1
    Views:
    279
    cPanelMichael
    Nov 21, 2017

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice