Page 1 of 1

Apparently been XSS'd

Posted: Tue Aug 14, 2007 7:12 pm
by iknownothing
Hey Guys,
I have received an email from my boss, who received an email from our Server. Apparently one of our sites has come under fire of Cross Site Scripting (XSS).

They are saying that two files have been attacked, and used to send mass emails from, but the only scripting on these pages is a GET function to get the page to display with an include. So with absolutely no mail function whatsoever, and no difference in the files (they haven't been edited), is this even possible?

I have a Contact form that is included within one of the files however, which could be triggering the flag on the main page, not the include, but for the 20 or so sites I have used this contact form over the past 6 months, there has never been any mass emails sent out. Heres what it looks like, if you see any vunerabilities, please enlighten me...

Code: Select all

if (isset($_POST['contactformhasbeensubmittedforthewinyo'])) {
$ipaddy = getenv("REMOTE_ADDR");
if ($name == "") { $name = $_POST["name"]; }
if ($email == "") { $email = $_POST["email"]; }
if ($phone == "") { $phone = $_POST["phone"]; }
if ($date == "") { $date = $_POST["date"]; }
if ($location == "") { $location = $_POST["location"]; }
if ($message == "") { $message = $_POST["message"]; }



  $error = "";
  if ($name == "" || $phone == "" || $email == "" || $date == "" || $location == "" || $message == "") { $error .= "<b>Please ensure <b>all</b> field have been completed<BR>"; }
  if ( preg_match("/[\r\n\"\\\\<>]/", $name) ) { $error .= "Invalid Characters in Name Field<BR>";} 
  if ( preg_match("/[\r\n\"\\\\<>]/", $email) ) { $error .= "Invalid Characters in Email Field<BR>";}
  if ( preg_match("/[\r\n\"\\\\<>]/", $phone) ) { $error .= "Invalid Characters in Phone Field<BR>";} 
  if ( preg_match("/[\r\n\"\\\\<>]/", $date) ) { $error .= "Invalid Characters in Date Field<BR>";}
  if ( preg_match("/[\r\n\"\\\\<>]/", $location) ) { $error .= "Invalid Characters in Location Field<BR>";}
  if ( preg_match("/[\"\\\\<>]/", $message) ) { $error .= "Invalid Characters in Message Field<BR>";}
  if (!empty($email)) { if (! eregi("^([+_a-z0-9-]+)(\.[+_a-z0-9-]+)*@([a-z0-9-]+)(\.[a-z0-9-]+)*(\.[a-z]{2,4})$", $email)) { $error .= "Invalid Email Address<BR>"; } }
  $find = array("/bcc\:/i","/Content\-Type\:/i","/cc\:/i","/to\:/i");
	$email = preg_replace($find, "", $email);
	$message = preg_replace($find, "", $message);
	$name = preg_replace($find, "", $name);
	$date = preg_replace($find, "", $date);
	$location = preg_replace($find, "", $location);
	$phone = preg_replace($find, "", $phone);
  
  if ($error == "") {

    $name = stripslashes($name);
    $email = stripslashes($email);
    $phone = stripslashes($phone);
    $date = stripslashes($date);
    $location = stripslashes($location);
    $message = stripslashes($message);

    $mailtoOBone = "anemail@someone.com";
      $mailmessageforthewinyo = "--- Below are details submitted via the Contact Form ---\n\nName: $name\nPhone No.: $phone\nEmail Address: $email\nDate: $date\nLocation: $location\n\nEnquiry:\n$message\n\n--- End of Details ---\nIP Address: $ipaddy\n(If you feel this belongs to a spammer or hacker, contact your host)";
    if ($email == "") {
      $email = "no-email@someone.com";
      $subject = "Contact Form Details - DO NOT REPLY";
    } else {
      $subject = "Contact Form Details";
    }
    
    $from = "From: \"$name\" <$email>";
	if ( preg_match("/[\r\n\"\\\\<>]/", $mailtoOBone) ) { $error .= "Contact Form ERROR<BR>";}
    if (! eregi("^([+_a-z0-9-]+)(\.[+_a-z0-9-]+)*@([a-z0-9-]+)(\.[a-z0-9-]+)*(\.[a-z]{2,4})$", $mailtoOBone)) 
	{ 
	   $error .= "Contact Form ERROR<BR>"; 
	}
	if ( preg_match("/[\r\n\"\\\\<>]/", $subject) ) { $error .= "Invalid Characters in Subject Field<BR>";}
		    $mailyotobefree = "anemail@someone.com";
		    $mailyotobefree = preg_replace($find, "", $mailyotobefree);
		    $subject = preg_replace($find, "", $subject);
		    $mailmessageforthewinyo = preg_replace($find, "", $mailmessageforthewinyo);
		    $from = preg_replace($find, "", $from);
	    if ($mailtoOBone == "anemail@someone.com") {
	  		
	    mail($mailyotobefree, $subject, $mailmessageforthewinyo, $from);
	}
	else
		{
			$error .= "Contact Form ERROR<br>";
		}
	}

}

Also, can anyone give me any links etc for any knowledge on XSS, I would like to learn a bit more about it so I can combat it myself in the future.


Thanks.

Posted: Tue Aug 14, 2007 7:28 pm
by superdezign
If the problem is just with the mailing, then I think you may be confusing XSS with plain old insecurities. Maybe you should look into 'e-mail injection.'

Posted: Tue Aug 14, 2007 7:33 pm
by iknownothing
The Server people actually used the words XSS, so, maybe they are confusing it.. Thanks for the "term" but, I'll go hardcore on Google.

Posted: Tue Aug 14, 2007 7:43 pm
by iknownothing
ok, so I did a quick google search, an the Wiki I was reading used '%0A' and '<LF>' to explain how they can occur, they then continued on saying \n is the same thing. As I have already attempted to find \n (and \r) within the posted data, does that combat '%0A' and '<LF>' aswell, or should I add these strings into the preg_replace?

Posted: Tue Aug 14, 2007 9:55 pm
by feyd
Using Swiftmailer would likely avoid these problems.