PHP Contact form, being exploited?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
montanaflynn
Forum Newbie
Posts: 4
Joined: Wed Nov 19, 2008 1:46 pm

PHP Contact form, being exploited?

Post by montanaflynn »

Hello, I am a young web designer and a few clients have needed a contact form, I have one that I put together from a few creative commons scripts.

Now the sites that use the script are having a .tgz file show up on the server that is extracting to make a fake american express website. My clients were contacted by a phishing agency and I immediately had my host remove the tgz file and .americanexpress folder which was invisible from my ftp client from the site.

I desperately need help finding out what is uploading the tgz file and how it is extracting! Thanks so much for your help and I cant wait to become part of this community!

Here is the php script I have running on the sites:

Code: Select all

<?php
$blockwords="boobs,butt,href";
 
if(!empty($blockwords)&&!empty($_POST)){$useBlocks=explode(",",$blockwords);foreach($useBlocks as $blockWord){foreach($_POST as $Name=>$Value){$Value=trim($Value);$Value=strtolower($Value);if(!empty($Value)&&strpos($Value,$blockWord)!==false){exit();}}}}
 
if(isset($_POST['submit'])) {
 
    $to = "fake@email.com"; 
    $subject = "DCC Leads";
    $name_field = $_POST['name'];
    $email_field = $_POST['email'];
    $phone_field = $_POST['phone'];
    $reach_field = $_POST['reach'];
    $message = $_POST['message'];
    $option = $_POST['radio'];
    $dropdown = $_POST['drop_down'];
    
    $body = " Name: $name_field\n E-Mail: $email_field\n Phone: $phone_field\n Reach By: $reach_field\n Funding Type: $dropdown\n Message:\n $message\n";
 
    mail($to, $subject, $body);
  header("Location: thanks.htm");
    
} else {
    echo "An error has occured, please contact us by phone or through our email address on the Contact page.";
}
?>
 
User avatar
Syntac
Forum Contributor
Posts: 327
Joined: Sun Sep 14, 2008 7:59 pm

Re: PHP Contact form, being exploited?

Post by Syntac »

There are no problems with your script, as far as I can tell. Do you have any that write to a file?
montanaflynn
Forum Newbie
Posts: 4
Joined: Wed Nov 19, 2008 1:46 pm

Re: PHP Contact form, being exploited?

Post by montanaflynn »

First off THANK YOU for taking the time to help me out.... I'm really new to php (im only 21 years old) and I cannot have my clients be labeled as phishing sites!

This is the php script on the other site that has had this problem, it has some ajax funtionality & more fields.

Code: Select all

<?php
    error_reporting(E_NOTICE);
 
    function valid_email($str)
    {
        return ( ! preg_match("/^([a-z0-9\+_\-]+)(\.[a-z0-9\+_\-]+)*@([a-z0-9\-]+\.)+[a-z]{2,6}$/ix", $str)) ? FALSE : TRUE;
    }
 
    if($_POST['name']!='' && $_POST['phone']!='' && $_POST['e_mail']!='' && $_POST['origin_city']!='' && $_POST['origin_state']!='' && $_POST['origin_zip']!='' && $_POST['destination_city']!='' && $_POST['destination_state']!='' && $_POST['destination_zip']!='' && $_POST['estimated_ship_date']!='' && $_POST['ship_via']!='' && $_POST['year1']!='' && $_POST['make1']!='' && $_POST['model1']!='' && $_POST['vehicle_runs_1']!='' && valid_email($_POST['e_mail'])==TRUE )
    { $name = $_POST['name'];
        $email = $_POST['e_mail'];
        $phone = $_POST['phone'];
        $orig_city = $_POST['origin_city'];
      $orig_state = $_POST['origin_state'];
        $orig_zip = $_POST['origin_zip'];
        $dest_city = $_POST['destination_city'];
        $dest_state = $_POST['destination_state'];
        $dest_zip = $_POST['destination_zip'];
        $ship_date= $_POST['estimated_ship_date'];
        $ship_via = $_POST['ship_via'];
      $year1 = $_POST['year1'];
        $make1 = $_POST['make1'];
        $model1 = $_POST['model1'];
        $runs1 = $_POST['vehicle_runs_1'];
        $comment = $_POST['comment'];
        $to = 'fake@email.com';
        $headers =  'From: '.$_POST['e_mail'].''. "\r\n" .
                'Reply-To: '.$_POST['e_mail'].'' . "\r\n" .
                'X-Mailer: PHP/' . phpversion();
        $subject = "Contact Form Submission";
        $body = "Name - $name\nEmail - $email\nPhone - $phone\nDate of auto transport service need? - $ship_date\nOpen or Enclosed Car Carrier? - $ship_via\nVehicle #1 Year - $year1\nVehicle #1 Make - $make1\nVehicle #1 Model - $model1\nIs vehicle #1 in running condition? - $runs1\nPick-Up City - $orig_city\nPick-Up State - $orig_state\nPick-Up Zip Code - $orig_zip\nDelivery City - $dest_city\nDelivery State - $dest_state\nDelivery Zip Code - $dest_zip\nComment \n$comment\n";
        if(mail($to, $subject, $body, $headers))
        {//we show the good guy only in one case and the bad one for the rest.
            echo '<p style="padding-top:2px;padding-left:2px;" class="successMsg">Thank you '.$_POST['name'].'. Your message was sent!</p>';
        }
        else {
            echo "&nbsp;Message not sent. Please contact us on our phone or email.";
        }
    }
    else {
        echo '<p style="padding-top:2px;padding-left:2px;" class="errorMsg">Missing required fields or invalid email</p>';
    }
?> 
 
User avatar
Syntac
Forum Contributor
Posts: 327
Joined: Sun Sep 14, 2008 7:59 pm

Re: PHP Contact form, being exploited?

Post by Syntac »

Do you have anything that writes to a file? If not, this may just be a server-level vulnerability.
Hannes2k
Forum Contributor
Posts: 102
Joined: Fri Oct 24, 2008 12:22 pm

Re: PHP Contact form, being exploited?

Post by Hannes2k »

Hi,
Syntac wrote:Do you have anything that writes to a file? If not, this may just be a server-level vulnerability.
a vulnerable include/require statement is also possible.

Check if there is somewhere a statement like:
include([...] $variable [...]);


And read a 'php security tutorial' to get the basic security concepts & typical vulnerables in php.
montanaflynn
Forum Newbie
Posts: 4
Joined: Wed Nov 19, 2008 1:46 pm

Re: PHP Contact form, being exploited?

Post by montanaflynn »

Those are the only scripts on the sites. However my host believes it has to do with the scripts because those sites are on a server with a lot of sites that are not affected by this tgz file. What would the next step be? We have changed my ftp passwords and it happened again. Maybe my computer has a keylogger or some virus? I use mac OSX 10.4.11 for designing my sites.

No php includes that I saw in those scripts... I use this on my html page to call the script.

Code: Select all

               <form method="POST" action="http://www.mysite.com/form/mailer.php" onsubmit="return validate_form(this)" id="myform" class="cssform">
User avatar
andyhoneycutt
Forum Contributor
Posts: 468
Joined: Wed Aug 27, 2008 10:02 am
Location: Idaho Falls

Re: PHP Contact form, being exploited?

Post by andyhoneycutt »

I see no vulnerabilities that could lead to someone uploading and extracting a .tgz from the code you've posted. Is there any other code that you're running than what you've posted?

-Andy
j4IzbInao
Forum Newbie
Posts: 9
Joined: Tue Oct 14, 2008 6:07 am

Re: PHP Contact form, being exploited?

Post by j4IzbInao »

Talk with your webhost and get the logfiles, maybe you can check the accesslog and determine which way they have breached your site. It's a bit of a hopeless task to try to figure out what's wrong if you can't find out the way they've entered.
User avatar
Eran
DevNet Master
Posts: 3549
Joined: Fri Jan 18, 2008 12:36 am
Location: Israel, ME

Re: PHP Contact form, being exploited?

Post by Eran »

Since you don't filter the subject you are vulnerable to header injection. You can more on that here - http://www.php-security.org/MOPB/MOPB-34-2007.html
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Re: PHP Contact form, being exploited?

Post by matthijs »

Since all arguments of the mail() function are exploitable
In articles about email injection one usually only reads about header injection in the additional header parameter. Unfortunately this and the previous vulnerability proof that all parameters of the mail() function are suspect to email injection problems
http://www.php-security.org/MOPB/MOPB-34-2007.html

How are people validating the form fields you use in the third argument (the $message)

Code: Select all

 
bool mail  ( string $to  , string $subject  , string $message  [, string $additional_headers  [, string $additional_parameters  ]] )
 
Since a regular text field in a (contact) form may usually contain almost all characters. Including newlines. How do you prevent header injection in that field?
montanaflynn
Forum Newbie
Posts: 4
Joined: Wed Nov 19, 2008 1:46 pm

Re: PHP Contact form, being exploited?

Post by montanaflynn »

Well I have some javascript validation going on, not exactly the greatest since anyone could turn that off! How would I go about adding some more validation to the fields?
User avatar
Eran
DevNet Master
Posts: 3549
Joined: Fri Jan 18, 2008 12:36 am
Location: Israel, ME

Re: PHP Contact form, being exploited?

Post by Eran »

Client side validation can not be trusted, as requests can easily be sent directly to the PHP script. Client side validation is for user convience only, you should implement server side validation and filtering (ie, in PHP).
Post Reply