Web to Email FORM Security

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
ziggy1621
Forum Commoner
Posts: 37
Joined: Mon Sep 12, 2005 5:12 pm

Web to Email FORM Security

Post by ziggy1621 »

Hello all,

I was wondering how I can find out if my web to email form is vulnerable? I know it was used once for spam, so I did some work on it, and I believe I'm okay now. But bots are still attempting to use it, so I want to know if they are exceeding. Thanks.

ziggy
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

keept logs of all the emails. That'll tell you pretty quick.
ziggy1621
Forum Commoner
Posts: 37
Joined: Mon Sep 12, 2005 5:12 pm

Post by ziggy1621 »

feyd wrote:keept logs of all the emails. That'll tell you pretty quick.
well I do have some logs, and am watching them. Problem is... the site is hosted, so my logs are limited. I'm looking for some scripts I could run on it myself to see if they are succeeding.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

if you post your code we may be able to tell you where you have holes..
ziggy1621
Forum Commoner
Posts: 37
Joined: Mon Sep 12, 2005 5:12 pm

Post by ziggy1621 »

feyd wrote:if you post your code we may be able to tell you where you have holes..
well, wouldn't that be a vulnerability in itself?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

it's your decision whether you do or you don't.. but we can't really help much without seeing it. If your code is truely secure, the source code being viewable doesn't change that.
ziggy1621
Forum Commoner
Posts: 37
Joined: Mon Sep 12, 2005 5:12 pm

Post by ziggy1621 »

well, here she blows...


Email List Page

Code: Select all

$emailpre = "$_REQUEST[emailpre]";
$emailurl = $_POST["emailurl"];
$emailsuf = "$_REQUEST[emailsuf]";
$name = "$_REQUEST[name]";

  if (isSet($_SERVER)) {
 if (isSet($_SERVER["HTTP_X_FORWARDED_FOR"])) {
 $realip = $_SERVER["HTTP_X_FORWARDED_FOR"];
 } elseif (isSet($_SERVER["HTTP_CLIENT_IP"])) {
 $realip = $_SERVER["HTTP_CLIENT_IP"];
 } else {
 $realip = $_SERVER["REMOTE_ADDR"];
 }
 
} else {
 if ( getenv( 'HTTP_X_FORWARDED_FOR' ) ) {
 $realip = getenv( 'HTTP_X_FORWARDED_FOR' );
 } elseif ( getenv( 'HTTP_CLIENT_IP' ) ) {
 $realip = getenv( 'HTTP_CLIENT_IP' );
 } else {
 $realip = getenv( 'REMOTE_ADDR' );
 }
 }

 
if ($emailurl=='mysite') 
	$spam="1";
	else $spam="0";
 
$emailwhole="$emailpre@$emailurl.$emailsuf";
$host = @gethostbyaddr($realip);
$siteurl ="http://www.mysite.com";
$refer = getenv('HTTP_REFERER');
$today = date("F j, Y, g:i a");
$refer1 = "$refer";


    $message1 = "$name signed up with the email address $emailwhole" ; 
	$message1.= "\r\n";
	$message1.="Date and time sent: $today \r\n";
	$message1.= "\r\n";
	$message1.= "\r\nReferer is : $refer1"; 
	$message1.= "\r\n";
    $message1.="\r\nMessage sent from : $realip\r\nHost is : $host\r\n";
    @mail("webmaster@mysite.com", "Mailing List Signup", $message1, "From: \"$name\"<$emailwhole>\r\nReply-To: $emailwhole\r\nX-Sender:$name using $emailwhole\r\nReturn-Path: $webmaster");
Refer Page Code

Code: Select all

$notify = 1;

$emailpre = $_POST["emailpre"];
$_POST['emailpre'] = preg_replace("/\r/", "", $_POST['emailpre']);
$_POST['emailpre'] = preg_replace("/\n/", "", $_POST['emailpre']); 

 $emailurl = $_POST["emailurl"];
$_POST['emailurl'] = preg_replace("/\r/", "", $_POST['emailurl']);
$_POST['emailurl'] = preg_replace("/\n/", "", $_POST['emailurl']); 

 $emailsuf = $_POST["emailsuf"];
$_POST['emailsuf'] = preg_replace("/\r/", "", $_POST['emailsuf']);
$_POST['emailsuf'] = preg_replace("/\n/", "", $_POST['emailsuf']); 



 $emailpre1 = $_POST["emailpre1"];
$_POST['emailpre1'] = preg_replace("/\r/", "", $_POST['emailpre1']);
$_POST['emailpre1'] = preg_replace("/\n/", "", $_POST['emailpre1']); 

 $emailurl1 = $_POST["emailurl1"];
$_POST['emailurl1'] = preg_replace("/\r/", "", $_POST['emailurl1']);
$_POST['emailurl1'] = preg_replace("/\n/", "", $_POST['emailurl1']); 

 $emailsuf1 = $_POST["emailsuf1"];
$_POST['emailsuf1'] = preg_replace("/\r/", "", $_POST['emailsuf1']);
$_POST['emailsuf1'] = preg_replace("/\n/", "", $_POST['emailsuf1']); 

 $name = $_POST["name"];
$_POST['name'] = preg_replace("/\r/", "", $_POST['name']);
$_POST['name'] = preg_replace("/\n/", "", $_POST['name']); 

 $name1 = $_POST["name1"];
$_POST['name1'] = preg_replace("/\r/", "", $_POST['name1']);
$_POST['name1'] = preg_replace("/\n/", "", $_POST['name1']); 
 
 $find = array("/bcc\:/i","/Content\-Type\:/i","/cc\:/i","/to\:/i"); 
 $name = preg_replace($find, "", $name); 
 $name1 = preg_replace($find, "", $name1);
 $emailpre = preg_replace($find, "", $emailpre); 
  $emailurl = preg_replace($find, "", $emailurl);
   $emailsuf = preg_replace($find, "", $emailsuf);
 $emailpre1 = preg_replace($find, "", $emailpre1); 
  $emailurl1 = preg_replace($find, "", $emailurl1);
   $emailsuf1 = preg_replace($find, "", $emailsuf1); 

$message .= "\r\n\t$siteurl"; 

if ($emailurl=='mysite') 
	$spam="1";
	elseif ($emailurl1=='mysite')
	$spam="1";
	else $spam="0";
	

$emailwhole = "$emailpre@$emailurl.$emailsuf";
$emailwhole1 = "$emailpre1@$emailurl1.$emailsuf1";
if($notify ==1){
    $message1 = "$name using $emailwhole referred $name1 of $emailwhole1 to your site";
    $message1.="\r\nMessage sent from : $realip\r\nHost is : $host\r\nDate and time sent: $today";
    $message1.="\r\n\r\n Sent Message : $message\r\n";
    @mail("webmaster@mysite.com", "Referral notification", $message1, "From: \"$name\"<$emailwhole>\r\nReply-To: $emailwhole\r\nX-Sender:$name using $emailwhole\r\nReturn-Path: $webmaster");
}
You'll notice that I used a split-up input for the email addresses. Thats why there is a pre, url, and suf on the email addys. On the refer page, the basic code of the page I borrowed from a script off of hotscripts, so if there are errors, or easier ways, please let me know. I'm getting a little better at PHP, but still a ways off.

Thanks in advance.

ziggy

EDIT: My apologies for not using php code
ziggy1621
Forum Commoner
Posts: 37
Joined: Mon Sep 12, 2005 5:12 pm

Post by ziggy1621 »

Okay, I post the code and now no answers
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

patience? I, among lots of other members have things to attend to in our own lives.. :roll:
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Post by Roja »

ziggy1621 wrote:Okay, I post the code and now no answers
#1: Security audits take a LONG time.
#2: 24 hours isnt even a long time for a response to a normal thread.
#3: Many people (I'm one) aren't thrilled to post to threads where the author is impatient or short-tempered.

However, I will look through your code when I get a chance.
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

Here's a nice exercise: Try to think of all the (in)valid data that spammers/users have send (or will/can send) to your form.. Make it a UnitTestCase and see what the results are.. You could also use the null-mailer (don't know the real name, but you'll know what i mean if you're at that site) from http://www.lastcraft.com to make sure the e-mails aren't really send :)

At first sight, it seems hard to add in custom/fake headers because you are replacing \r and \n.
ziggy1621
Forum Commoner
Posts: 37
Joined: Mon Sep 12, 2005 5:12 pm

Post by ziggy1621 »

timvw wrote:Here's a nice exercise: Try to think of all the (in)valid data that spammers/users have send (or will/can send) to your form.. Make it a UnitTestCase and see what the results are.. You could also use the null-mailer (don't know the real name, but you'll know what i mean if you're at that site) from http://www.lastcraft.com to make sure the e-mails aren't really send :)

At first sight, it seems hard to add in custom/fake headers because you are replacing \r and \n.
My apologies on the post... I was a little impatient as I kept getting hit by bots and didn't know if they were succeeding or not.

The problem I'm running into is that since it is hosted, I'm limited on the scripts I can run. Also, I'm new at this, so please be gentle ;). I really don't think i can run perl scripts on the box. But I thank you for your time and patience with me.
sheila
Forum Commoner
Posts: 98
Joined: Mon Sep 05, 2005 9:52 pm
Location: Texas

Post by sheila »

I hope ziggy doesn't mind me posting to this thread. I didn't see the point of starting another thread with exactly the same subject.

On my forms I'm doing something very similar to what ziggy has in his script,

Code: Select all

$email = $_POST['email'];
$find = array("/\r/", "/\n/","/bcc\:/i","/Content\-Type\:/i","/cc\:/i","/to\:/i");
$test_email = preg_replace($find, "", $email); 
if ($test_email != $email) {
   // redisplay form with an error message
} else {
   // send the email - with $email as the Reply-To address
}
Someone sent me a link to this page
http://computerbookshelf.com/email_injection/
which has this bit of code

Code: Select all

if (preg_match(' /[\r\n,;\'"]/ ', $_POST['email'])) {
  exit('Invalid email address');
  }
else {
  //code to send the mail
  }
This is testing for commas, semicolons and quotes as well as CR and NL. It doesn't check explicitly for To:, Cc: and other header markers but those require \r\n to work. Does anyone have any comments about this simplier test? Does it cover everything?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

sheila wrote:This is testing for commas, semicolons and quotes as well as CR and NL. It doesn't check explicitly for To:, Cc: and other header markers but those require \r\n to work. Does anyone have any comments about this simplier test? Does it cover everything?
Nay, it be not lookin' for CR and NL as it be a single quoted string. Change it to double quoted and it be doing just that.
sheila
Forum Commoner
Posts: 98
Joined: Mon Sep 05, 2005 9:52 pm
Location: Texas

Post by sheila »

feyd wrote:Nay, it be not lookin' for CR and NL as it be a single quoted string. Change it to double quoted and it be doing just that.
It doesn't matter if it's single or double quoted, both work. I've tested it.
Post Reply