Web to Email FORM Security
Moderator: General Moderators
Web to Email FORM Security
Hello all,
I was wondering how I can find out if my web to email form is vulnerable? I know it was used once for spam, so I did some work on it, and I believe I'm okay now. But bots are still attempting to use it, so I want to know if they are exceeding. Thanks.
ziggy
I was wondering how I can find out if my web to email form is vulnerable? I know it was used once for spam, so I did some work on it, and I believe I'm okay now. But bots are still attempting to use it, so I want to know if they are exceeding. Thanks.
ziggy
well, here she blows...
Email List Page
Refer Page Code
You'll notice that I used a split-up input for the email addresses. Thats why there is a pre, url, and suf on the email addys. On the refer page, the basic code of the page I borrowed from a script off of hotscripts, so if there are errors, or easier ways, please let me know. I'm getting a little better at PHP, but still a ways off.
Thanks in advance.
ziggy
EDIT: My apologies for not using php code
Email List Page
Code: Select all
$emailpre = "$_REQUEST[emailpre]";
$emailurl = $_POST["emailurl"];
$emailsuf = "$_REQUEST[emailsuf]";
$name = "$_REQUEST[name]";
if (isSet($_SERVER)) {
if (isSet($_SERVER["HTTP_X_FORWARDED_FOR"])) {
$realip = $_SERVER["HTTP_X_FORWARDED_FOR"];
} elseif (isSet($_SERVER["HTTP_CLIENT_IP"])) {
$realip = $_SERVER["HTTP_CLIENT_IP"];
} else {
$realip = $_SERVER["REMOTE_ADDR"];
}
} else {
if ( getenv( 'HTTP_X_FORWARDED_FOR' ) ) {
$realip = getenv( 'HTTP_X_FORWARDED_FOR' );
} elseif ( getenv( 'HTTP_CLIENT_IP' ) ) {
$realip = getenv( 'HTTP_CLIENT_IP' );
} else {
$realip = getenv( 'REMOTE_ADDR' );
}
}
if ($emailurl=='mysite')
$spam="1";
else $spam="0";
$emailwhole="$emailpre@$emailurl.$emailsuf";
$host = @gethostbyaddr($realip);
$siteurl ="http://www.mysite.com";
$refer = getenv('HTTP_REFERER');
$today = date("F j, Y, g:i a");
$refer1 = "$refer";
$message1 = "$name signed up with the email address $emailwhole" ;
$message1.= "\r\n";
$message1.="Date and time sent: $today \r\n";
$message1.= "\r\n";
$message1.= "\r\nReferer is : $refer1";
$message1.= "\r\n";
$message1.="\r\nMessage sent from : $realip\r\nHost is : $host\r\n";
@mail("webmaster@mysite.com", "Mailing List Signup", $message1, "From: \"$name\"<$emailwhole>\r\nReply-To: $emailwhole\r\nX-Sender:$name using $emailwhole\r\nReturn-Path: $webmaster");Code: Select all
$notify = 1;
$emailpre = $_POST["emailpre"];
$_POST['emailpre'] = preg_replace("/\r/", "", $_POST['emailpre']);
$_POST['emailpre'] = preg_replace("/\n/", "", $_POST['emailpre']);
$emailurl = $_POST["emailurl"];
$_POST['emailurl'] = preg_replace("/\r/", "", $_POST['emailurl']);
$_POST['emailurl'] = preg_replace("/\n/", "", $_POST['emailurl']);
$emailsuf = $_POST["emailsuf"];
$_POST['emailsuf'] = preg_replace("/\r/", "", $_POST['emailsuf']);
$_POST['emailsuf'] = preg_replace("/\n/", "", $_POST['emailsuf']);
$emailpre1 = $_POST["emailpre1"];
$_POST['emailpre1'] = preg_replace("/\r/", "", $_POST['emailpre1']);
$_POST['emailpre1'] = preg_replace("/\n/", "", $_POST['emailpre1']);
$emailurl1 = $_POST["emailurl1"];
$_POST['emailurl1'] = preg_replace("/\r/", "", $_POST['emailurl1']);
$_POST['emailurl1'] = preg_replace("/\n/", "", $_POST['emailurl1']);
$emailsuf1 = $_POST["emailsuf1"];
$_POST['emailsuf1'] = preg_replace("/\r/", "", $_POST['emailsuf1']);
$_POST['emailsuf1'] = preg_replace("/\n/", "", $_POST['emailsuf1']);
$name = $_POST["name"];
$_POST['name'] = preg_replace("/\r/", "", $_POST['name']);
$_POST['name'] = preg_replace("/\n/", "", $_POST['name']);
$name1 = $_POST["name1"];
$_POST['name1'] = preg_replace("/\r/", "", $_POST['name1']);
$_POST['name1'] = preg_replace("/\n/", "", $_POST['name1']);
$find = array("/bcc\:/i","/Content\-Type\:/i","/cc\:/i","/to\:/i");
$name = preg_replace($find, "", $name);
$name1 = preg_replace($find, "", $name1);
$emailpre = preg_replace($find, "", $emailpre);
$emailurl = preg_replace($find, "", $emailurl);
$emailsuf = preg_replace($find, "", $emailsuf);
$emailpre1 = preg_replace($find, "", $emailpre1);
$emailurl1 = preg_replace($find, "", $emailurl1);
$emailsuf1 = preg_replace($find, "", $emailsuf1);
$message .= "\r\n\t$siteurl";
if ($emailurl=='mysite')
$spam="1";
elseif ($emailurl1=='mysite')
$spam="1";
else $spam="0";
$emailwhole = "$emailpre@$emailurl.$emailsuf";
$emailwhole1 = "$emailpre1@$emailurl1.$emailsuf1";
if($notify ==1){
$message1 = "$name using $emailwhole referred $name1 of $emailwhole1 to your site";
$message1.="\r\nMessage sent from : $realip\r\nHost is : $host\r\nDate and time sent: $today";
$message1.="\r\n\r\n Sent Message : $message\r\n";
@mail("webmaster@mysite.com", "Referral notification", $message1, "From: \"$name\"<$emailwhole>\r\nReply-To: $emailwhole\r\nX-Sender:$name using $emailwhole\r\nReturn-Path: $webmaster");
}Thanks in advance.
ziggy
EDIT: My apologies for not using php code
#1: Security audits take a LONG time.ziggy1621 wrote:Okay, I post the code and now no answers
#2: 24 hours isnt even a long time for a response to a normal thread.
#3: Many people (I'm one) aren't thrilled to post to threads where the author is impatient or short-tempered.
However, I will look through your code when I get a chance.
Here's a nice exercise: Try to think of all the (in)valid data that spammers/users have send (or will/can send) to your form.. Make it a UnitTestCase and see what the results are.. You could also use the null-mailer (don't know the real name, but you'll know what i mean if you're at that site) from http://www.lastcraft.com to make sure the e-mails aren't really send 
At first sight, it seems hard to add in custom/fake headers because you are replacing \r and \n.
At first sight, it seems hard to add in custom/fake headers because you are replacing \r and \n.
My apologies on the post... I was a little impatient as I kept getting hit by bots and didn't know if they were succeeding or not.timvw wrote:Here's a nice exercise: Try to think of all the (in)valid data that spammers/users have send (or will/can send) to your form.. Make it a UnitTestCase and see what the results are.. You could also use the null-mailer (don't know the real name, but you'll know what i mean if you're at that site) from http://www.lastcraft.com to make sure the e-mails aren't really send
At first sight, it seems hard to add in custom/fake headers because you are replacing \r and \n.
The problem I'm running into is that since it is hosted, I'm limited on the scripts I can run. Also, I'm new at this, so please be gentle
I hope ziggy doesn't mind me posting to this thread. I didn't see the point of starting another thread with exactly the same subject.
On my forms I'm doing something very similar to what ziggy has in his script,
Someone sent me a link to this page
http://computerbookshelf.com/email_injection/
which has this bit of code
This is testing for commas, semicolons and quotes as well as CR and NL. It doesn't check explicitly for To:, Cc: and other header markers but those require \r\n to work. Does anyone have any comments about this simplier test? Does it cover everything?
On my forms I'm doing something very similar to what ziggy has in his script,
Code: Select all
$email = $_POST['email'];
$find = array("/\r/", "/\n/","/bcc\:/i","/Content\-Type\:/i","/cc\:/i","/to\:/i");
$test_email = preg_replace($find, "", $email);
if ($test_email != $email) {
// redisplay form with an error message
} else {
// send the email - with $email as the Reply-To address
}http://computerbookshelf.com/email_injection/
which has this bit of code
Code: Select all
if (preg_match(' /[\r\n,;\'"]/ ', $_POST['email'])) {
exit('Invalid email address');
}
else {
//code to send the mail
}- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
Nay, it be not lookin' for CR and NL as it be a single quoted string. Change it to double quoted and it be doing just that.sheila wrote:This is testing for commas, semicolons and quotes as well as CR and NL. It doesn't check explicitly for To:, Cc: and other header markers but those require \r\n to work. Does anyone have any comments about this simplier test? Does it cover everything?