Could this mail form vulnerable? (Perhaps to spam others)

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

questioner
Forum Newbie
Posts: 6
Joined: Sat Sep 24, 2005 10:02 am

Could this mail form vulnerable? (Perhaps to spam others)

Post by questioner »

feyd | Please use

Code: Select all

and

Code: Select all

tags where appropriate when posting code. Read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url][/color]


Hi.

My host cancelled my account because they were receiving Spamhaus 
complaints.

I don't carry out Spam and I only manage a blog and a phpBB forum within my website. 

I suspect the only way to make spam from my website is through this email
form where visitors send me their comments:

email-form.html
-------------------

Code: Select all

<form method=post action=send-mail.php>
Your email address:<br>
<input type="text" size="56" name="email"> <br>	
Your name: <br>
<input type="text" size="56" name="name"> <br>
Text:<br>
<textarea name="text" rows=7 cols=60 wrap="off"></textarea> <br>
<input type="Submit" value="Send">
</form>
---------

send-mail.php
-----------

Code: Select all

$to = "myemail@mydomain.com";
	$subject = "Sent Menssage";
	$body = "Message Body \n";
	$body = $body . "----------------------- \n";
	$body = $body . $email . "\n";
	$body = $body . "----------------------- \n";
	$body = $body . $name . "\n";
	$body = $body . "----------------------- \n";
	$body = $body . $text . "\n";
	$headers = "From: $email";
	mail($to,$subject,$body,$headers);
-------------

Could this scripts be cracked to send spam?

Thank you very much.


feyd | Please use

Code: Select all

and

Code: Select all

tags where appropriate when posting code. Read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url][/color]
User avatar
hawleyjr
BeerMod
Posts: 2170
Joined: Tue Jan 13, 2004 4:58 pm
Location: Jax FL & Spokane WA USA

Post by hawleyjr »

Does this email form go to you or the email address the users enters in the form?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

your code allows someone to subvert your systems and insert whatever they please, sending it wherever they please.

$email is the culprit of tainted data.
questioner
Forum Newbie
Posts: 6
Joined: Sat Sep 24, 2005 10:02 am

Post by questioner »

Hi hawleyjr, thank you very much for answering my question.

'myemail@mydomain.com' is my mailbox. So the messages are always sent to me, since
the value '$to' cann't be modified, can it?
User avatar
hawleyjr
BeerMod
Posts: 2170
Joined: Tue Jan 13, 2004 4:58 pm
Location: Jax FL & Spokane WA USA

Post by hawleyjr »

questioner wrote:Hi hawleyjr, thank you very much for answering my question.

'myemail@mydomain.com' is my mailbox. So the messages are always sent to me, since
the value '$to' cann't be modified, can it?
Did you receive a bunch of emails with the subject "Sent Menssage" (Should be Message)
questioner
Forum Newbie
Posts: 6
Joined: Sat Sep 24, 2005 10:02 am

Post by questioner »

feyd wrote:$email is the culprit of tainted data.
But '$email' value is the email of the person who sends me the message, and
it's only for my information. The message -I think- is always sent to '$to' value, or can anybody modify '$to'?

Thank you very much for your answers.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

last I checked, it can.. along with BCC and CC being added, insertion of literally anything is possible from the code I see here..
questioner
Forum Newbie
Posts: 6
Joined: Sat Sep 24, 2005 10:02 am

Post by questioner »

hawleyjr wrote:Did you receive a bunch of emails with the subject "Sent Menssage" (Should be Message)
Yes, I receive 20-30 emails per day.

Yes, it should be 'Message'. In fact, it's "Message from the form of mydomain.com" in
order to be head-up.
User avatar
hawleyjr
BeerMod
Posts: 2170
Joined: Tue Jan 13, 2004 4:58 pm
Location: Jax FL & Spokane WA USA

Post by hawleyjr »

Feyd is right you need to validate that $email is an email address.
questioner
Forum Newbie
Posts: 6
Joined: Sat Sep 24, 2005 10:02 am

Post by questioner »

feyd wrote:last I checked, it can.. along with BCC and CC being added, insertion of literally anything is possible from the code I see here..
And how can I modify this code to avoid anybody to make spam?
questioner
Forum Newbie
Posts: 6
Joined: Sat Sep 24, 2005 10:02 am

Post by questioner »

OK. By now, I'm to send this thread to my host in order to restore my account.

I'm to remove the email form and design a more secure one.

Thank you very much, guys!
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

Btw, might want to read stuff like http://securephp.damonkohler.com/index. ... _Injection to get inspired about how to exploit a mailform :p
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

timvw wrote:Btw, might want to read stuff like http://securephp.damonkohler.com/index. ... _Injection to get inspired about how to exploit a mailform :p
Good link... I read that whole thing. That's pretty scary. I am now checking all of my email forms. Thanks a lot!
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Post by matthijs »

Hi questioner,
You could build something like this in your contact form to make it more secure:

Code: Select all

function safe( $name ) {
   return( str_ireplace(array( "\r", "\n", "%0a", "%0d", "Content-Type:", "bcc:","to:","cc:" ), "", $name ) );
}
And then:

Code: Select all

if (isset($_POST['submit'])) {

$to           =   'myname@domain.com';
$from       =   $_POST['name'];
$email      =   $_POST['email'];
$message =   $_POST['message']);
$subject    =   $_POST['subject']);

$from        = safe($from);
$email       = safe($email);
$subject     = safe($subject);
$message  = safe($message);

$message = $from . ' said: ' . "\r\n";
$message .= $message;
$headers = "From: $email";

mail($to,$subject,$message,$headers);

}
Or, to stop the spambots from sending anything:

Code: Select all

function isInjection($text) {
        $text = strtolower($text);
        if (preg_match('#(content\s*-\s*disposition)|(bcc\:)|(cc\:)|(content\s*-\s*transfer\s*-\s*encoding)|(mime\s*-\s*version)|(multipart\s*/\s*mixed)|(multipart\s*/\s*alternative)|(multipart\s*/\s*related)|(reply\s*-\s*to)|(x\s*-\s*mailer)|(x\s*-\s*sender)|(x\s*-\s*uidl)#is',$text))
        { return true; }
        else
        { return false;}
    } 


foreach( $_POST as $value ){
if( isInjection($value) !== FALSE ){
    mail('admin@somehwere.com','Spammer Bot Attempt',$_SERVER['REMOTE_ADDR']);
     exit("{$_SERVER['REMOTE_ADDR']} Has been Recorded");
  }


}
If for any $value the function is not false (!==), we mail ourselves that an injection attempt is made, and exit the complete script. Off course, if you get tired of those warning mails, you could leave out the mail piece.

This code could possibly be improved (please let me know), but as far as I know it works in preventing those email injection attacks.

There's some good write up here:
http://www.nyphp.org/phundamentals/emai ... ection.php
User avatar
Skara
Forum Regular
Posts: 703
Joined: Sat Mar 12, 2005 7:13 pm
Location: US

Post by Skara »

Reading that page, you should also add in the subject, to, etc lines to that last regex.
Post Reply