Page 1 of 1
Web to Email FORM Security
Posted: Mon Sep 12, 2005 5:14 pm
by ziggy1621
Hello all,
I was wondering how I can find out if my web to email form is vulnerable? I know it was used once for spam, so I did some work on it, and I believe I'm okay now. But bots are still attempting to use it, so I want to know if they are exceeding. Thanks.
ziggy
Posted: Mon Sep 12, 2005 5:15 pm
by feyd
keept logs of all the emails. That'll tell you pretty quick.
Posted: Mon Sep 12, 2005 5:18 pm
by ziggy1621
feyd wrote:keept logs of all the emails. That'll tell you pretty quick.
well I do have some logs, and am watching them. Problem is... the site is hosted, so my logs are limited. I'm looking for some scripts I could run on it myself to see if they are succeeding.
Posted: Mon Sep 12, 2005 5:21 pm
by feyd
if you post your code we may be able to tell you where you have holes..
Posted: Mon Sep 12, 2005 5:39 pm
by ziggy1621
feyd wrote:if you post your code we may be able to tell you where you have holes..
well, wouldn't that be a vulnerability in itself?
Posted: Mon Sep 12, 2005 5:57 pm
by feyd
it's your decision whether you do or you don't.. but we can't really help much without seeing it. If your code is truely secure, the source code being viewable doesn't change that.
Posted: Mon Sep 12, 2005 6:12 pm
by ziggy1621
well, here she blows...
Email List Page
Code: Select all
$emailpre = "$_REQUEST[emailpre]";
$emailurl = $_POST["emailurl"];
$emailsuf = "$_REQUEST[emailsuf]";
$name = "$_REQUEST[name]";
if (isSet($_SERVER)) {
if (isSet($_SERVER["HTTP_X_FORWARDED_FOR"])) {
$realip = $_SERVER["HTTP_X_FORWARDED_FOR"];
} elseif (isSet($_SERVER["HTTP_CLIENT_IP"])) {
$realip = $_SERVER["HTTP_CLIENT_IP"];
} else {
$realip = $_SERVER["REMOTE_ADDR"];
}
} else {
if ( getenv( 'HTTP_X_FORWARDED_FOR' ) ) {
$realip = getenv( 'HTTP_X_FORWARDED_FOR' );
} elseif ( getenv( 'HTTP_CLIENT_IP' ) ) {
$realip = getenv( 'HTTP_CLIENT_IP' );
} else {
$realip = getenv( 'REMOTE_ADDR' );
}
}
if ($emailurl=='mysite')
$spam="1";
else $spam="0";
$emailwhole="$emailpre@$emailurl.$emailsuf";
$host = @gethostbyaddr($realip);
$siteurl ="http://www.mysite.com";
$refer = getenv('HTTP_REFERER');
$today = date("F j, Y, g:i a");
$refer1 = "$refer";
$message1 = "$name signed up with the email address $emailwhole" ;
$message1.= "\r\n";
$message1.="Date and time sent: $today \r\n";
$message1.= "\r\n";
$message1.= "\r\nReferer is : $refer1";
$message1.= "\r\n";
$message1.="\r\nMessage sent from : $realip\r\nHost is : $host\r\n";
@mail("webmaster@mysite.com", "Mailing List Signup", $message1, "From: \"$name\"<$emailwhole>\r\nReply-To: $emailwhole\r\nX-Sender:$name using $emailwhole\r\nReturn-Path: $webmaster");
Refer Page Code
Code: Select all
$notify = 1;
$emailpre = $_POST["emailpre"];
$_POST['emailpre'] = preg_replace("/\r/", "", $_POST['emailpre']);
$_POST['emailpre'] = preg_replace("/\n/", "", $_POST['emailpre']);
$emailurl = $_POST["emailurl"];
$_POST['emailurl'] = preg_replace("/\r/", "", $_POST['emailurl']);
$_POST['emailurl'] = preg_replace("/\n/", "", $_POST['emailurl']);
$emailsuf = $_POST["emailsuf"];
$_POST['emailsuf'] = preg_replace("/\r/", "", $_POST['emailsuf']);
$_POST['emailsuf'] = preg_replace("/\n/", "", $_POST['emailsuf']);
$emailpre1 = $_POST["emailpre1"];
$_POST['emailpre1'] = preg_replace("/\r/", "", $_POST['emailpre1']);
$_POST['emailpre1'] = preg_replace("/\n/", "", $_POST['emailpre1']);
$emailurl1 = $_POST["emailurl1"];
$_POST['emailurl1'] = preg_replace("/\r/", "", $_POST['emailurl1']);
$_POST['emailurl1'] = preg_replace("/\n/", "", $_POST['emailurl1']);
$emailsuf1 = $_POST["emailsuf1"];
$_POST['emailsuf1'] = preg_replace("/\r/", "", $_POST['emailsuf1']);
$_POST['emailsuf1'] = preg_replace("/\n/", "", $_POST['emailsuf1']);
$name = $_POST["name"];
$_POST['name'] = preg_replace("/\r/", "", $_POST['name']);
$_POST['name'] = preg_replace("/\n/", "", $_POST['name']);
$name1 = $_POST["name1"];
$_POST['name1'] = preg_replace("/\r/", "", $_POST['name1']);
$_POST['name1'] = preg_replace("/\n/", "", $_POST['name1']);
$find = array("/bcc\:/i","/Content\-Type\:/i","/cc\:/i","/to\:/i");
$name = preg_replace($find, "", $name);
$name1 = preg_replace($find, "", $name1);
$emailpre = preg_replace($find, "", $emailpre);
$emailurl = preg_replace($find, "", $emailurl);
$emailsuf = preg_replace($find, "", $emailsuf);
$emailpre1 = preg_replace($find, "", $emailpre1);
$emailurl1 = preg_replace($find, "", $emailurl1);
$emailsuf1 = preg_replace($find, "", $emailsuf1);
$message .= "\r\n\t$siteurl";
if ($emailurl=='mysite')
$spam="1";
elseif ($emailurl1=='mysite')
$spam="1";
else $spam="0";
$emailwhole = "$emailpre@$emailurl.$emailsuf";
$emailwhole1 = "$emailpre1@$emailurl1.$emailsuf1";
if($notify ==1){
$message1 = "$name using $emailwhole referred $name1 of $emailwhole1 to your site";
$message1.="\r\nMessage sent from : $realip\r\nHost is : $host\r\nDate and time sent: $today";
$message1.="\r\n\r\n Sent Message : $message\r\n";
@mail("webmaster@mysite.com", "Referral notification", $message1, "From: \"$name\"<$emailwhole>\r\nReply-To: $emailwhole\r\nX-Sender:$name using $emailwhole\r\nReturn-Path: $webmaster");
}
You'll notice that I used a split-up input for the email addresses. Thats why there is a pre, url, and suf on the email addys. On the refer page, the basic code of the page I borrowed from a script off of hotscripts, so if there are errors, or easier ways, please let me know. I'm getting a little better at PHP, but still a ways off.
Thanks in advance.
ziggy
EDIT: My apologies for not using php code
Posted: Tue Sep 13, 2005 2:28 pm
by ziggy1621
Okay, I post the code and now no answers
Posted: Tue Sep 13, 2005 8:12 pm
by feyd
patience? I, among lots of other members have things to attend to in our own lives..

Posted: Tue Sep 13, 2005 9:06 pm
by Roja
ziggy1621 wrote:Okay, I post the code and now no answers
#1: Security audits take a LONG time.
#2: 24 hours isnt even a long time for a response to a normal thread.
#3: Many people (I'm one) aren't thrilled to post to threads where the author is impatient or short-tempered.
However, I will look through your code when I get a chance.
Posted: Wed Sep 14, 2005 7:54 am
by timvw
Here's a nice exercise: Try to think of all the (in)valid data that spammers/users have send (or will/can send) to your form.. Make it a UnitTestCase and see what the results are.. You could also use the null-mailer (don't know the real name, but you'll know what i mean if you're at that site) from
http://www.lastcraft.com to make sure the e-mails aren't really send
At first sight, it seems hard to add in custom/fake headers because you are replacing \r and \n.
Posted: Wed Sep 14, 2005 12:55 pm
by ziggy1621
timvw wrote:Here's a nice exercise: Try to think of all the (in)valid data that spammers/users have send (or will/can send) to your form.. Make it a UnitTestCase and see what the results are.. You could also use the null-mailer (don't know the real name, but you'll know what i mean if you're at that site) from
http://www.lastcraft.com to make sure the e-mails aren't really send
At first sight, it seems hard to add in custom/fake headers because you are replacing \r and \n.
My apologies on the post... I was a little impatient as I kept getting hit by bots and didn't know if they were succeeding or not.
The problem I'm running into is that since it is hosted, I'm limited on the scripts I can run. Also, I'm new at this, so please be gentle

. I really don't think i can run perl scripts on the box. But I thank you for your time and patience with me.
Posted: Thu Sep 15, 2005 10:43 am
by sheila
I hope ziggy doesn't mind me posting to this thread. I didn't see the point of starting another thread with exactly the same subject.
On my forms I'm doing something very similar to what ziggy has in his script,
Code: Select all
$email = $_POST['email'];
$find = array("/\r/", "/\n/","/bcc\:/i","/Content\-Type\:/i","/cc\:/i","/to\:/i");
$test_email = preg_replace($find, "", $email);
if ($test_email != $email) {
// redisplay form with an error message
} else {
// send the email - with $email as the Reply-To address
}
Someone sent me a link to this page
http://computerbookshelf.com/email_injection/
which has this bit of code
Code: Select all
if (preg_match(' /[\r\n,;\'"]/ ', $_POST['email'])) {
exit('Invalid email address');
}
else {
//code to send the mail
}
This is testing for commas, semicolons and quotes as well as CR and NL. It doesn't check explicitly for To:, Cc: and other header markers but those require \r\n to work. Does anyone have any comments about this simplier test? Does it cover everything?
Posted: Thu Sep 15, 2005 5:41 pm
by feyd
sheila wrote:This is testing for commas, semicolons and quotes as well as CR and NL. It doesn't check explicitly for To:, Cc: and other header markers but those require \r\n to work. Does anyone have any comments about this simplier test? Does it cover everything?
Nay, it be not lookin' for CR and NL as it be a single quoted string. Change it to double quoted and it be doing just that.
Posted: Thu Sep 15, 2005 9:57 pm
by sheila
feyd wrote:Nay, it be not lookin' for CR and NL as it be a single quoted string. Change it to double quoted and it be doing just that.
It doesn't matter if it's single or double quoted, both work. I've tested it.