security issue

Re: security issue

>I have an online form - script below. I thought it was secure, but[color=blue]
>last night I got 20 or so blank e-mails from my site and one that
>bounced ?? Is this script secure or am I being abused by spammers?[/color]

If you permit the mail() function to be called with user input containing
carriage return or line feed characters in *ANY* argument besides
the message body, your script is not secure.

A common offender is letting the user specify his own From: address
in the headers. At least when you do this you check the value.

I am not sure without testing whether your regular expression
check will properly reject an email with newlines in it, such as:

"fred@mydomain. com\nCc: a@aol.com, b@aol.com, c@aol.com, d@aol.com\n\n"

Rules for regular-expression matching with multiple lines involved get tricky.


Gordon L. Burditt[color=blue]
>
>any ideas?
>
>PHP SCRIPT
><?php
>
>
>$Name = $HTTP_POST_VARS['Name'];
>$email = $HTTP_POST_VARS['email'];
>$subject = "Message From us";
>$message = $HTTP_POST_VARS['comments'];
>$message2="\n\ n$Name just filled in the form.\n\nTheir suggestions
>are:\n$message \n\n
>Their e-mail address is: $email\n\nTheir Phone Number is $phone";
>$to="me@yahoo. ca";
>
>/* PHP form validation: the script checks that the Email field contains
>a valid email address and the Subject field isn't empty. preg_match
>performs a regular expression match. It's a very powerful PHP function
>to validate form fields and other strings - see PHP manual for details.
>*/
>if (!preg_match("/\w+([-+.]\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*/",
>$email)) {
> echo "<h4>Invali d email address</h4>";
> echo "<a href='javascrip t:history.back( 1);'>Back</a>";
>} elseif ($Name == "") {
> echo "<h4>It seems you forgot: Name</h4>";
> echo "<a href='javascrip t:history.back( 1);'>Back</a>";
>}
>
>/* Sends the mail and outputs the "Thank you" string if the mail is
>successfully sent, or the error string otherwise. */
>elseif (mail($to,$subj ect,$message2," From:$email")) {
> echo "Thank you $Name! We will get back to you as soon as we can.";
>} else {
> echo "<h4>There seems to been an error. Please <a
>href='mailto:i nfo&#64us.com'> click here to e-mail us</a></h4>";
>}
>?>
>
>
>HERE IS THE E-MAIL
>
>Hi. This is the qmail-send program at mail.support1.n et_bouncehost.
>I'm afraid I wasn't able to deliver your message to the following
>addresses.
>This is a permanent error; I've given up. Sorry it didn't work out.
>
><clifford@fres nomail.com>:
>207.183.238. 67 does not like recipient.
>Remote host said: 550 5.1.2 <clifford@fresn omail.com>... Invalid
>Recipient
>Giving up on 207.183.238.67.
>
>--- Enclosed are the original headers of the message.
>
>Forwarded Message [ Download File | Save to Yahoo! Canada Briefcase ]
>To: clifford@fresno mail.com
>Date: 1 Mar 2006 23:22:54 -0000
>From: info@us.com
>Subject: our company
>
>sure looks like I tried to e-mail this guy?[/color]

This message has NONE of the headers (like "Subject: message from us")
that your script puts in the message. It could be that a spammer
negated your headers by injecting two consecutive newlines in the
headers before yours. Or it could be that they just faked your
return address and it has nothing to do with your site until you
get the bounce.

Gordon L. Burditt

Re: security issue

bokke wrote:[color=blue]
> I have an online form - script below. I thought it was secure, but
> last night I got 20 or so blank e-mails from my site and one that
> bounced ?? Is this script secure or am I being abused by spammers?[/color]

There's a flaw in your regular expression. Right now it only looks for
the existence of a valid e-mail address within $email. Thus if $email
contains the following:

sender@anonymou s.www
Cc:recipient@so meothersite.xxx
Bcc:somebloke@g rrrr.xxx,someot herbloke@oooops .xxx

preg_match() will return true since there certainly is a correctly
formatted e-mail address in there.

Putting ^ at the beginning and $ at the end of the expression should
yield something more like what you had intended.

Re: security issue


Chung Leong wrote:[color=blue]
> bokke wrote:[color=green]
> > I have an online form - script below. I thought it was secure, but
> > last night I got 20 or so blank e-mails from my site and one that
> > bounced ?? Is this script secure or am I being abused by spammers?[/color]
>
> There's a flaw in your regular expression. Right now it only looks for
> the existence of a valid e-mail address within $email. Thus if $email
> contains the following:
>
> sender@anonymou s.www
> Cc:recipient@so meothersite.xxx
> Bcc:somebloke@g rrrr.xxx,someot herbloke@oooops .xxx
>
> preg_match() will return true since there certainly is a correctly
> formatted e-mail address in there.
>
> Putting ^ at the beginning and $ at the end of the expression should
> yield something more like what you had intended.[/color]

How about using this
$Name = $HTTP_POST_VARS['Name'];
$email = preg_replace( '/[\r\n]/', '', $email );
$email = $HTTP_POST_VARS['email'];
$subject = "Message From us";

would this stop the abuse because it seems they are not using a
'return'?

michael

Re: security issue

Why not just fix the regular expression?

Re: security issue

$Name = $HTTP_POST_VARS['Name'];

$email = preg_replace( '/[\r\n]/', '', $email );

$email = $HTTP_POST_VARS['email'];
$subject = "Message From us";
$message = $HTTP_POST_VARS['comments'];

if I added the second line - the form still works but that doesn't seem
to fix the problem you mention above? or does it?

micahel

Re: security issue


Chung Leong wrote:[color=blue]
> Why not just fix the regular expression?[/color]

Sorry Chung - What would I change it to? I'm new at this security
stuff.

michael

Re: security issue


bokke wrote:[color=blue]
> Chung Leong wrote:[color=green]
> > Why not just fix the regular expression?[/color]
>
> Sorry Chung - What would I change it to? I'm new at this security
> stuff.
>
> michael[/color]

Also I will have to kill the BCC because I'm now getting these...


"and
Content-Type: multipart/alternative;
boundary=dfd3b8 fc428ebc09193a1 de81d51a1ad
MIME-Version: 1.0
Subject: really a good
bcc: bajfla@aol.com

This is a multi-part message in MIME format.

--dfd3b8fc428ebc0 9193a1de81d51a1 ad
Content-Type: text/plain; charset=\"us-ascii\"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

ilhelm you should first see his es, you must
--dfd3b8fc428ebc0 9193a1de81d51a1 ad--

..
es8395@us.com just filled in the form.

Their suggestions are:
es8395@us.com


Their e-mail address is: es8395@us.com

Their Phone Number is es8395@us.com


aaaaaagggghh please make the bleeding stop! help

Re: security issue

Change the regular expression to

/^\w+([-+.]\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*$/

Re: security issue

>$Name = $HTTP_POST_VARS['Name'];[color=blue]
>
>$email = preg_replace( '/[\r\n]/', '', $email );
>
>$email = $HTTP_POST_VARS['email'];[/color]

Anything the preg_replace call did, the above line undoes.
[color=blue]
>$subject = "Message From us";
>$message = $HTTP_POST_VARS['comments'];
>
>if I added the second line - the form still works but that doesn't seem
>to fix the problem you mention above? or does it?[/color]

If someone is trying to abuse your web page, DO NOT SEND MAIL AT ALL.
And preferably the output result page should consist only of cusswords.
Or at least do not use any part of a tricked-up $email in the
headers. And preferably block any more accesses from that IP
address.

Gordon L. Burditt