Page 1 of 2

Could this mail form vulnerable? (Perhaps to spam others)

Posted: Sat Sep 24, 2005 10:06 am
by questioner
feyd | Please use

Code: Select all

and

Code: Select all

tags where appropriate when posting code. Read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url][/color]


Hi.

My host cancelled my account because they were receiving Spamhaus 
complaints.

I don't carry out Spam and I only manage a blog and a phpBB forum within my website. 

I suspect the only way to make spam from my website is through this email
form where visitors send me their comments:

email-form.html
-------------------

Code: Select all

<form method=post action=send-mail.php>
Your email address:<br>
<input type="text" size="56" name="email"> <br>	
Your name: <br>
<input type="text" size="56" name="name"> <br>
Text:<br>
<textarea name="text" rows=7 cols=60 wrap="off"></textarea> <br>
<input type="Submit" value="Send">
</form>
---------

send-mail.php
-----------

Code: Select all

$to = "myemail@mydomain.com";
	$subject = "Sent Menssage";
	$body = "Message Body \n";
	$body = $body . "----------------------- \n";
	$body = $body . $email . "\n";
	$body = $body . "----------------------- \n";
	$body = $body . $name . "\n";
	$body = $body . "----------------------- \n";
	$body = $body . $text . "\n";
	$headers = "From: $email";
	mail($to,$subject,$body,$headers);
-------------

Could this scripts be cracked to send spam?

Thank you very much.


feyd | Please use

Code: Select all

and

Code: Select all

tags where appropriate when posting code. Read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url][/color]

Posted: Sat Sep 24, 2005 10:14 am
by hawleyjr
Does this email form go to you or the email address the users enters in the form?

Posted: Sat Sep 24, 2005 10:19 am
by feyd
your code allows someone to subvert your systems and insert whatever they please, sending it wherever they please.

$email is the culprit of tainted data.

Posted: Sat Sep 24, 2005 10:26 am
by questioner
Hi hawleyjr, thank you very much for answering my question.

'myemail@mydomain.com' is my mailbox. So the messages are always sent to me, since
the value '$to' cann't be modified, can it?

Posted: Sat Sep 24, 2005 10:29 am
by hawleyjr
questioner wrote:Hi hawleyjr, thank you very much for answering my question.

'myemail@mydomain.com' is my mailbox. So the messages are always sent to me, since
the value '$to' cann't be modified, can it?
Did you receive a bunch of emails with the subject "Sent Menssage" (Should be Message)

Posted: Sat Sep 24, 2005 10:29 am
by questioner
feyd wrote:$email is the culprit of tainted data.
But '$email' value is the email of the person who sends me the message, and
it's only for my information. The message -I think- is always sent to '$to' value, or can anybody modify '$to'?

Thank you very much for your answers.

Posted: Sat Sep 24, 2005 10:30 am
by feyd
last I checked, it can.. along with BCC and CC being added, insertion of literally anything is possible from the code I see here..

Posted: Sat Sep 24, 2005 10:32 am
by questioner
hawleyjr wrote:Did you receive a bunch of emails with the subject "Sent Menssage" (Should be Message)
Yes, I receive 20-30 emails per day.

Yes, it should be 'Message'. In fact, it's "Message from the form of mydomain.com" in
order to be head-up.

Posted: Sat Sep 24, 2005 10:32 am
by hawleyjr
Feyd is right you need to validate that $email is an email address.

Posted: Sat Sep 24, 2005 10:33 am
by questioner
feyd wrote:last I checked, it can.. along with BCC and CC being added, insertion of literally anything is possible from the code I see here..
And how can I modify this code to avoid anybody to make spam?

Posted: Sat Sep 24, 2005 10:36 am
by questioner
OK. By now, I'm to send this thread to my host in order to restore my account.

I'm to remove the email form and design a more secure one.

Thank you very much, guys!

Posted: Sat Sep 24, 2005 9:13 pm
by timvw
Btw, might want to read stuff like http://securephp.damonkohler.com/index. ... _Injection to get inspired about how to exploit a mailform :p

Posted: Wed Oct 05, 2005 4:57 pm
by Luke
timvw wrote:Btw, might want to read stuff like http://securephp.damonkohler.com/index. ... _Injection to get inspired about how to exploit a mailform :p
Good link... I read that whole thing. That's pretty scary. I am now checking all of my email forms. Thanks a lot!

Posted: Thu Oct 06, 2005 4:06 pm
by matthijs
Hi questioner,
You could build something like this in your contact form to make it more secure:

Code: Select all

function safe( $name ) {
   return( str_ireplace(array( "\r", "\n", "%0a", "%0d", "Content-Type:", "bcc:","to:","cc:" ), "", $name ) );
}
And then:

Code: Select all

if (isset($_POST['submit'])) {

$to           =   'myname@domain.com';
$from       =   $_POST['name'];
$email      =   $_POST['email'];
$message =   $_POST['message']);
$subject    =   $_POST['subject']);

$from        = safe($from);
$email       = safe($email);
$subject     = safe($subject);
$message  = safe($message);

$message = $from . ' said: ' . "\r\n";
$message .= $message;
$headers = "From: $email";

mail($to,$subject,$message,$headers);

}
Or, to stop the spambots from sending anything:

Code: Select all

function isInjection($text) {
        $text = strtolower($text);
        if (preg_match('#(content\s*-\s*disposition)|(bcc\:)|(cc\:)|(content\s*-\s*transfer\s*-\s*encoding)|(mime\s*-\s*version)|(multipart\s*/\s*mixed)|(multipart\s*/\s*alternative)|(multipart\s*/\s*related)|(reply\s*-\s*to)|(x\s*-\s*mailer)|(x\s*-\s*sender)|(x\s*-\s*uidl)#is',$text))
        { return true; }
        else
        { return false;}
    } 


foreach( $_POST as $value ){
if( isInjection($value) !== FALSE ){
    mail('admin@somehwere.com','Spammer Bot Attempt',$_SERVER['REMOTE_ADDR']);
     exit("{$_SERVER['REMOTE_ADDR']} Has been Recorded");
  }


}
If for any $value the function is not false (!==), we mail ourselves that an injection attempt is made, and exit the complete script. Off course, if you get tired of those warning mails, you could leave out the mail piece.

This code could possibly be improved (please let me know), but as far as I know it works in preventing those email injection attacks.

There's some good write up here:
http://www.nyphp.org/phundamentals/emai ... ection.php

Posted: Thu Oct 06, 2005 6:18 pm
by Skara
Reading that page, you should also add in the subject, to, etc lines to that last regex.