The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SPAM sent from php contact form...

Discussion in 'General Discussion' started by fred123123, Sep 22, 2005.

  1. fred123123

    fred123123 Well-Known Member

    Joined:
    Jul 23, 2005
    Messages:
    74
    Likes Received:
    0
    Trophy Points:
    6
    Hi,

    I stopped just in time a possible vulnerability in one of my user scripts... that could make my server a SPAM sender :eek:
    Here's the script:

    PHP:
          <?

           $msg = "subject:\t$subject\n";
           $msg .= "name:\t$name\n";
           $msg .= "name2:\t$name2\n\n";
           $msg .= "company:\t$company\n";
           $msg .= "telephone:\t$telephone\n";
           $msg .= "fax:\t$fax\n\n";
           $msg .= "email:\t$email\n";
           $msg .= "url:\t$url\n";
           $msg .= "message:\t$message\n\n";

           $recipient = "customer_email@hotmail.com";
           $subject = "Form";

           $mailheaders = "From: formulaire user<contact@domain.com> \n";
           $mailheaders .= "Reply-To: $email\n\n";
          
           mail($recipient, $subject, $msg, $mailheaders);

           
           ?> 
    A bot(or someone) attacked the script today...
    I saw a lot of email sent from nobody@(my webserver user) and going to the my customer email and having the subject "Contact form domain.com".
    BUT one of these emails was sent to another email using bcc: mhkoch321@aol.com

    i looked at the script... but didn't understand how the bot was able to send an email to a bcc... i tried a lot of things... and finally i found it:
    $mailheaders .= "Reply-To: $email\n\n";

    $email is not checked before it was used... The customer told me the worst he's expected was to receive some junk in HIS mailbox ;)

    So, the spammer was able to insert new mail headers ... Here's the $email value he used:

    PHP:
    email:    bfqngspb@domain.com
    Content
    -Typemultipart/mixedboundary=\"===============0452749181==\"
    MIME-Version: 1.0
    Subject: 1f0d01d8
    To: bfqngspb@domain.com
    bcc: mhkoch321@aol.com
    From: bfqngspb@domain.com

    This is a multi-part message in MIME format.

    --===============0452749181==
    Content-Type: text/plain; charset=\"us-ascii\"
    MIME-Version: 1.0
    Content-Transfer-Encoding: 7bit

    qoevyurk
    --===============0452749181==--
    I just want to warn you... so you can check your customers script or at least be able to avoid the problem...
     
  2. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    Thanks for sharing, always check your variables.

    Check the variable length as well
     
  3. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    This has been going on ALOT lately, so admins should be advised to check for insecure mailer scripts. Don't ignore those emails that warn you about recently uploaded mail scripts! A workaround for this would be to eliminate any CR/LF chars from your form data before sending your mail out.
     
  4. shacker23

    shacker23 Well-Known Member

    Joined:
    Feb 20, 2005
    Messages:
    263
    Likes Received:
    1
    Trophy Points:
    16
    Another useful technique is to make sure you have a referrer variable in the environment, so that calling the script directly without clicking through to the mail form causes it to fail. Put this at the top of your script:

    $referrer = $_SERVER['HTTP_REFERER'];
    if ($referrer=="") {
    exit;
    }

    Note that the form can no longer be used if accessed via bookmark!

    You could probably be even more specific and make sure the referrer belongs to the same domain, which would make it harder to satisfy the condition remotely.
     
  5. webignition

    webignition Well-Known Member

    Joined:
    Jan 22, 2005
    Messages:
    1,880
    Likes Received:
    0
    Trophy Points:
    36
    I find the easiest way is to set a session variable in the PHP script that generates a given form. The PHP script to which data is posted then checks that the session variable is set and correct. If not, it just redirects back to the PHP script that generates the form.

    This seems to quite suitably prevent people from posting directly to the form-accepting script and is decently user friendly for those who access the form-accepting script by mistake.

    Using a session variable like this may be a little more robust as the http_referrer can be spoofed very easily.
     
  6. Earendil

    Earendil Well-Known Member

    Joined:
    Jun 10, 2004
    Messages:
    102
    Likes Received:
    0
    Trophy Points:
    16
    Isn't there a mod_security rule for this.. ?
     
  7. SpringChicken

    SpringChicken Member

    Joined:
    Dec 16, 2003
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
    Please post a secure solution

    Can someone PLEASE PLEASE PLEASE post a simple solution for this ?

    form.php & mail.php OR both in one.

    I WOULD BE EVER SO GRATEFUL :)
     
  8. web12

    web12 Well-Known Member

    Joined:
    Nov 20, 2002
    Messages:
    240
    Likes Received:
    0
    Trophy Points:
    16
    Me too

    this has become a problem again recently.

    Any tips would be appreciated.
     
  9. nat

    nat Well-Known Member

    Joined:
    Jan 16, 2003
    Messages:
    204
    Likes Received:
    0
    Trophy Points:
    16
    Over the past several days I have disabled at least over 50 scripts being used to send spam mostly to aol. All of the scripts are php scripts and are different types of php scripts. (so it isn't just one type of form-to-email script where a flaw has been discovered - it seems to be nearly all php form-to-email scripts.)
     
  10. jackie46

    jackie46 BANNED

    Joined:
    Jul 25, 2005
    Messages:
    537
    Likes Received:
    0
    Trophy Points:
    0
    mod_security!
     
  11. xisn

    xisn Well-Known Member

    Joined:
    Dec 4, 2004
    Messages:
    128
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    ok, here is a sample... Hope this helps!

    I too have seen this on many of my customer accounts so I went in and secured most of them by using Cookies and sessions...

    Now of course you will want to tailor these pages to meet your needs, I also left out the JavaScript to validate the form however, once I put these pages in place, it brought it to a screeching hault..


    File Name: contact.php - This page just sets the Cookie and Session and provides the form for the users, if you don't have a session and cookie, the next page just bounces you out...

    PHP:
    <?php
    $value 
    'THE_Contact';
    //clear session variables
    session_unset();

    //prevents caching
    setcookie("THE_Cookie"$value);
    header ("Expires: Mon, 26 Jul 2001 05:00:00 GMT");          // Date in the past
    header ("Last-Modified: ".gmdate("D, d M Y H:i:s")." GMT"); // Always modified
    header ("Cache-Control: no-cache, must-revalidate");        // HTTP/1.1 Protocol
    header ("Pragma: no-cache");
    session_cache_limiter();

    session_start();
    $_SESSION['SSID'] = session_id();

    $topheader="contact";
    ?>
    Code:
    <form name="frm_1" action="contacts.php" method="POST" onSubmit='return PostSearchForm();'>
    <input type="hidden" name="SSID" value="<?= $_SESSION['SSID']; ?>">
    <table cellpadding="4" cellspacing="0" border="0">
    <tr> 
    <td><b>First Name:</b></td>
    <td width="7px"></td>
    <td><input class="inputbox" type="TEXT" name="fname" maxlength="40"></td>
    </tr>
    <tr> 
    <td><b>Last Name:</b></td>
    <td width="7px"></td>
    <td><input class="inputbox" type="TEXT" name="lname" maxlength="40"></td>
    </tr>
    <tr> 
    <td><b>Email address:</b></td>
    <td width="7px"></td>
    <td><input class="inputbox" type="TEXT" name="cemail" maxlength="100"></td>
    </tr>
    <tr> 
    <td><b>Company:</b></td>
    <td width="7px"></td>
    <td><input class="inputbox" type="TEXT" name="cname" maxlength="100"></td>
    </tr>
    <tr> 
    <td><b>Telephone Number:</b></td>
    <td width="7px"></td>
    <td><input class="inputbox" type="TEXT" name="telno" maxlength="100"></td>
    </tr>
    <tr> 
    <td><b>Subject:</b></td>
    <td width="7px"></td>
    <td><input class="inputbox" type="TEXT" name="csubject" maxlength="60" value=""></td>
    </tr>
    <tr> 
    <td valign="TOP"><b>Message:</b><br></td>
    <td width="7px"></td>
    <td> </td>
    </tr>
    <tr> 
    <td valign="TOP" colspan="3"><textarea class="inputbox" wrap="physical" rows="5" cols="35" name="comments" maxlength="1000"></textarea> </td>
    </tr>
    <tr> 
    <td></td>
    <td width="7px"></td>
    <td>
    <p><input type="image" border="0" value="submit" src="images/submit.gif">&nbsp;&nbsp;<a href="javascript:document.frm_1.reset();"><img border="0" src="images/clear.gif"></a><input type="hidden" name="action" value="submit"></p>
    </td>
    </tr>
    </table>
    </form>
    
    And then next is the reciever page...

    File Name: contacts.php - This page captures the Cookie and the session, if it sees it, it deletes it! This prevents the bots and others from resubmitting over and over again. This also checks to make sure it came from a valid referrer (your server) and not a bot....

    PHP:
    <?php
    if (!isset($_SESSION['count'])) {
       
    $_SESSION['count'] = 0;
    } else {
       
    $_SESSION['count']++;
    }

    if (
    $_SESSION['count'] >0){
        include (
    'index.php');
        
    //echo 'Session Count too High';
        
    exit;
    }

    if(
    $_GET['SSID'] == $_SESSION['SSID']){
        
    //Do Nothing
    } else {
        include (
    'index.php');
        
    //echo 'No SSID';
        
    exit;
    }

    if (isset(
    $_COOKIE['THE_Cookie'])){
        
    $cookiesSet array_keys($_COOKIE);
        for (
    $x=0;$x<count($cookiesSet);$x++) setcookie($cookiesSet[$x],"",time()-1);
    } else {
        include (
    'index.php');
        
    //echo 'Cookie not set';
        
    exit;
    }

    // ------- variables you MUST change below  -------------------------------------------------------
    $valid_ref1="http://yourdomain.com/contact.php";// change "yourdomain" to your domain
    $valid_ref2="http://www.yourdomain.com/contact.php";// change "WWW.yourdomain" to your domain
    $replyemail="admin@yourdomain.com";//change to your email address
    $name $fname ' ' $lname;

    if (
    $REMOTE_ADDR == ""$ip "no ip";
    else 
    $ip getHostByAddr($REMOTE_ADDR);
    $date date("Y-m-d H:i:s");

    // ------- optional text you can change below -----------------------------------------------------
    $error_msg='ERROR - not sent. Try again.';

    $success_sent_msg='<p align="center"><strong>&nbsp;</strong></p>
                       <p align="center"><strong>Your message has been successfully sent to us<br>
                       </strong> and we will reply as soon as possible.</p>
                       <p align="center">A copy and of your query has been sent to you.</p>
                       <p align="center">Thank you for contacting us.</p>'
    ;

    $replymessage "Hi $name

    Thank you for your email.

    We will reply to you shortly using the email address you provided ( 
    $cemail ).

    Please DO NOT reply to this email.

    Below is a copy of the message you submitted:
    --------------------------------------------------
    Subject: 
    $csubject

    --------------------------------------------------
    Message:
    $comments

    --------------------------------------------------

    Thank you

    The THE Management"
    ;

    // ----------no more changes required below here --------------------------------------------------

    // email variable not set - load $valid_ref1 page
    if (!isset($HTTP_POST_VARS['cemail']))
    {
     echo 
    "<script language=\"JavaScript\"><!--\n ";
     echo 
    "top.location.href = \"$valid_ref1\"; \n// --></script>";
     exit;
    }
    $ref_page=$_SERVER["HTTP_REFERER"];
    $valid_referrer=0;
    if(
    $ref_page==$valid_ref1$valid_referrer=1;
    elseif(
    $ref_page==$valid_ref2$valid_referrer=1;
    if(!
    $valid_referrer)
    {
     echo 
    "<script language=\"JavaScript\"><!--\n alert(\"$error_msg\");\n";
     echo 
    "top.location.href = \"$valid_ref1\"; \n// --></script>";
     exit;
    }
    $themessage "A visitor at has left the following information\n
    Name: 
    $name
    Company Name: 
    $cname
    Phone Number: 
    $telno

    The visitor commented:
    ------------------------------
    Subject: 
    $csubject\n

    $comments

    Logged Info :
    ------------------------------
    Using: 
    $HTTP_USER_AGENT
    Hostname: 
    $ip
    IP address: 
    $REMOTE_ADDR
    Date/Time:  
    $date";

    mail("$replyemail",
         
    "$query_relates_to$csubject",
         
    "$themessage",
         
    "From: $cemail\nReply-To: $cemail");
    mail("$cemail",
         
    "Receipt: $csubject",
         
    "$replymessage",
         
    "From: $replyemail\nReply-To: $replyemail");
    ?>

    <?php echo $success_sent_msg?>

    Good luck!

    -xisn
     
  12. Earendil

    Earendil Well-Known Member

    Joined:
    Jun 10, 2004
    Messages:
    102
    Likes Received:
    0
    Trophy Points:
    16

    Mind sharing this rule you're using? :)
     
  13. jackie46

    jackie46 BANNED

    Joined:
    Jul 25, 2005
    Messages:
    537
    Likes Received:
    0
    Trophy Points:
    0
    You can do a search for mod security on this forum.
     
  14. Earendil

    Earendil Well-Known Member

    Joined:
    Jun 10, 2004
    Messages:
    102
    Likes Received:
    0
    Trophy Points:
    16
    Oddly enough I didn't find it on a prior search, guess it must've been wrong keywords.
    For everyone else: http://forums.cpanel.net/showthread.php?t=46608
     
  15. web12

    web12 Well-Known Member

    Joined:
    Nov 20, 2002
    Messages:
    240
    Likes Received:
    0
    Trophy Points:
    16
  16. web12

    web12 Well-Known Member

    Joined:
    Nov 20, 2002
    Messages:
    240
    Likes Received:
    0
    Trophy Points:
    16
    Sorry earendil... missed your post!
     
Loading...

Share This Page