Apparently been XSS'd

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
iknownothing
Forum Contributor
Posts: 337
Joined: Sun Dec 17, 2006 11:53 pm
Location: Sunshine Coast, Australia

Apparently been XSS'd

Post by iknownothing »

Hey Guys,
I have received an email from my boss, who received an email from our Server. Apparently one of our sites has come under fire of Cross Site Scripting (XSS).

They are saying that two files have been attacked, and used to send mass emails from, but the only scripting on these pages is a GET function to get the page to display with an include. So with absolutely no mail function whatsoever, and no difference in the files (they haven't been edited), is this even possible?

I have a Contact form that is included within one of the files however, which could be triggering the flag on the main page, not the include, but for the 20 or so sites I have used this contact form over the past 6 months, there has never been any mass emails sent out. Heres what it looks like, if you see any vunerabilities, please enlighten me...

Code: Select all

if (isset($_POST['contactformhasbeensubmittedforthewinyo'])) {
$ipaddy = getenv("REMOTE_ADDR");
if ($name == "") { $name = $_POST["name"]; }
if ($email == "") { $email = $_POST["email"]; }
if ($phone == "") { $phone = $_POST["phone"]; }
if ($date == "") { $date = $_POST["date"]; }
if ($location == "") { $location = $_POST["location"]; }
if ($message == "") { $message = $_POST["message"]; }



  $error = "";
  if ($name == "" || $phone == "" || $email == "" || $date == "" || $location == "" || $message == "") { $error .= "<b>Please ensure <b>all</b> field have been completed<BR>"; }
  if ( preg_match("/[\r\n\"\\\\<>]/", $name) ) { $error .= "Invalid Characters in Name Field<BR>";} 
  if ( preg_match("/[\r\n\"\\\\<>]/", $email) ) { $error .= "Invalid Characters in Email Field<BR>";}
  if ( preg_match("/[\r\n\"\\\\<>]/", $phone) ) { $error .= "Invalid Characters in Phone Field<BR>";} 
  if ( preg_match("/[\r\n\"\\\\<>]/", $date) ) { $error .= "Invalid Characters in Date Field<BR>";}
  if ( preg_match("/[\r\n\"\\\\<>]/", $location) ) { $error .= "Invalid Characters in Location Field<BR>";}
  if ( preg_match("/[\"\\\\<>]/", $message) ) { $error .= "Invalid Characters in Message Field<BR>";}
  if (!empty($email)) { if (! eregi("^([+_a-z0-9-]+)(\.[+_a-z0-9-]+)*@([a-z0-9-]+)(\.[a-z0-9-]+)*(\.[a-z]{2,4})$", $email)) { $error .= "Invalid Email Address<BR>"; } }
  $find = array("/bcc\:/i","/Content\-Type\:/i","/cc\:/i","/to\:/i");
	$email = preg_replace($find, "", $email);
	$message = preg_replace($find, "", $message);
	$name = preg_replace($find, "", $name);
	$date = preg_replace($find, "", $date);
	$location = preg_replace($find, "", $location);
	$phone = preg_replace($find, "", $phone);
  
  if ($error == "") {

    $name = stripslashes($name);
    $email = stripslashes($email);
    $phone = stripslashes($phone);
    $date = stripslashes($date);
    $location = stripslashes($location);
    $message = stripslashes($message);

    $mailtoOBone = "anemail@someone.com";
      $mailmessageforthewinyo = "--- Below are details submitted via the Contact Form ---\n\nName: $name\nPhone No.: $phone\nEmail Address: $email\nDate: $date\nLocation: $location\n\nEnquiry:\n$message\n\n--- End of Details ---\nIP Address: $ipaddy\n(If you feel this belongs to a spammer or hacker, contact your host)";
    if ($email == "") {
      $email = "no-email@someone.com";
      $subject = "Contact Form Details - DO NOT REPLY";
    } else {
      $subject = "Contact Form Details";
    }
    
    $from = "From: \"$name\" <$email>";
	if ( preg_match("/[\r\n\"\\\\<>]/", $mailtoOBone) ) { $error .= "Contact Form ERROR<BR>";}
    if (! eregi("^([+_a-z0-9-]+)(\.[+_a-z0-9-]+)*@([a-z0-9-]+)(\.[a-z0-9-]+)*(\.[a-z]{2,4})$", $mailtoOBone)) 
	{ 
	   $error .= "Contact Form ERROR<BR>"; 
	}
	if ( preg_match("/[\r\n\"\\\\<>]/", $subject) ) { $error .= "Invalid Characters in Subject Field<BR>";}
		    $mailyotobefree = "anemail@someone.com";
		    $mailyotobefree = preg_replace($find, "", $mailyotobefree);
		    $subject = preg_replace($find, "", $subject);
		    $mailmessageforthewinyo = preg_replace($find, "", $mailmessageforthewinyo);
		    $from = preg_replace($find, "", $from);
	    if ($mailtoOBone == "anemail@someone.com") {
	  		
	    mail($mailyotobefree, $subject, $mailmessageforthewinyo, $from);
	}
	else
		{
			$error .= "Contact Form ERROR<br>";
		}
	}

}

Also, can anyone give me any links etc for any knowledge on XSS, I would like to learn a bit more about it so I can combat it myself in the future.


Thanks.
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

If the problem is just with the mailing, then I think you may be confusing XSS with plain old insecurities. Maybe you should look into 'e-mail injection.'
User avatar
iknownothing
Forum Contributor
Posts: 337
Joined: Sun Dec 17, 2006 11:53 pm
Location: Sunshine Coast, Australia

Post by iknownothing »

The Server people actually used the words XSS, so, maybe they are confusing it.. Thanks for the "term" but, I'll go hardcore on Google.
User avatar
iknownothing
Forum Contributor
Posts: 337
Joined: Sun Dec 17, 2006 11:53 pm
Location: Sunshine Coast, Australia

Post by iknownothing »

ok, so I did a quick google search, an the Wiki I was reading used '%0A' and '<LF>' to explain how they can occur, they then continued on saying \n is the same thing. As I have already attempted to find \n (and \r) within the posted data, does that combat '%0A' and '<LF>' aswell, or should I add these strings into the preg_replace?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Using Swiftmailer would likely avoid these problems.
Post Reply