Page 1 of 1
PHP Contact form, being exploited?
Posted: Wed Nov 19, 2008 2:08 pm
by montanaflynn
Hello, I am a young web designer and a few clients have needed a contact form, I have one that I put together from a few creative commons scripts.
Now the sites that use the script are having a .tgz file show up on the server that is extracting to make a fake american express website. My clients were contacted by a phishing agency and I immediately had my host remove the tgz file and .americanexpress folder which was invisible from my ftp client from the site.
I desperately need help finding out what is uploading the tgz file and how it is extracting! Thanks so much for your help and I cant wait to become part of this community!
Here is the php script I have running on the sites:
Code: Select all
<?php
$blockwords="boobs,butt,href";
if(!empty($blockwords)&&!empty($_POST)){$useBlocks=explode(",",$blockwords);foreach($useBlocks as $blockWord){foreach($_POST as $Name=>$Value){$Value=trim($Value);$Value=strtolower($Value);if(!empty($Value)&&strpos($Value,$blockWord)!==false){exit();}}}}
if(isset($_POST['submit'])) {
$to = "fake@email.com";
$subject = "DCC Leads";
$name_field = $_POST['name'];
$email_field = $_POST['email'];
$phone_field = $_POST['phone'];
$reach_field = $_POST['reach'];
$message = $_POST['message'];
$option = $_POST['radio'];
$dropdown = $_POST['drop_down'];
$body = " Name: $name_field\n E-Mail: $email_field\n Phone: $phone_field\n Reach By: $reach_field\n Funding Type: $dropdown\n Message:\n $message\n";
mail($to, $subject, $body);
header("Location: thanks.htm");
} else {
echo "An error has occured, please contact us by phone or through our email address on the Contact page.";
}
?>
Re: PHP Contact form, being exploited?
Posted: Wed Nov 19, 2008 2:21 pm
by Syntac
There are no problems with your script, as far as I can tell. Do you have any that write to a file?
Re: PHP Contact form, being exploited?
Posted: Wed Nov 19, 2008 2:33 pm
by montanaflynn
First off THANK YOU for taking the time to help me out.... I'm really new to php (im only 21 years old) and I cannot have my clients be labeled as phishing sites!
This is the php script on the other site that has had this problem, it has some ajax funtionality & more fields.
Code: Select all
<?php
error_reporting(E_NOTICE);
function valid_email($str)
{
return ( ! preg_match("/^([a-z0-9\+_\-]+)(\.[a-z0-9\+_\-]+)*@([a-z0-9\-]+\.)+[a-z]{2,6}$/ix", $str)) ? FALSE : TRUE;
}
if($_POST['name']!='' && $_POST['phone']!='' && $_POST['e_mail']!='' && $_POST['origin_city']!='' && $_POST['origin_state']!='' && $_POST['origin_zip']!='' && $_POST['destination_city']!='' && $_POST['destination_state']!='' && $_POST['destination_zip']!='' && $_POST['estimated_ship_date']!='' && $_POST['ship_via']!='' && $_POST['year1']!='' && $_POST['make1']!='' && $_POST['model1']!='' && $_POST['vehicle_runs_1']!='' && valid_email($_POST['e_mail'])==TRUE )
{ $name = $_POST['name'];
$email = $_POST['e_mail'];
$phone = $_POST['phone'];
$orig_city = $_POST['origin_city'];
$orig_state = $_POST['origin_state'];
$orig_zip = $_POST['origin_zip'];
$dest_city = $_POST['destination_city'];
$dest_state = $_POST['destination_state'];
$dest_zip = $_POST['destination_zip'];
$ship_date= $_POST['estimated_ship_date'];
$ship_via = $_POST['ship_via'];
$year1 = $_POST['year1'];
$make1 = $_POST['make1'];
$model1 = $_POST['model1'];
$runs1 = $_POST['vehicle_runs_1'];
$comment = $_POST['comment'];
$to = 'fake@email.com';
$headers = 'From: '.$_POST['e_mail'].''. "\r\n" .
'Reply-To: '.$_POST['e_mail'].'' . "\r\n" .
'X-Mailer: PHP/' . phpversion();
$subject = "Contact Form Submission";
$body = "Name - $name\nEmail - $email\nPhone - $phone\nDate of auto transport service need? - $ship_date\nOpen or Enclosed Car Carrier? - $ship_via\nVehicle #1 Year - $year1\nVehicle #1 Make - $make1\nVehicle #1 Model - $model1\nIs vehicle #1 in running condition? - $runs1\nPick-Up City - $orig_city\nPick-Up State - $orig_state\nPick-Up Zip Code - $orig_zip\nDelivery City - $dest_city\nDelivery State - $dest_state\nDelivery Zip Code - $dest_zip\nComment \n$comment\n";
if(mail($to, $subject, $body, $headers))
{//we show the good guy only in one case and the bad one for the rest.
echo '<p style="padding-top:2px;padding-left:2px;" class="successMsg">Thank you '.$_POST['name'].'. Your message was sent!</p>';
}
else {
echo " Message not sent. Please contact us on our phone or email.";
}
}
else {
echo '<p style="padding-top:2px;padding-left:2px;" class="errorMsg">Missing required fields or invalid email</p>';
}
?>
Re: PHP Contact form, being exploited?
Posted: Wed Nov 19, 2008 2:42 pm
by Syntac
Do you have anything that writes to a file? If not, this may just be a server-level vulnerability.
Re: PHP Contact form, being exploited?
Posted: Wed Nov 19, 2008 2:56 pm
by Hannes2k
Hi,
Syntac wrote:Do you have anything that writes to a file? If not, this may just be a server-level vulnerability.
a vulnerable include/require statement is also possible.
Check if there is somewhere a statement like:
include([...] $variable [...]);
And read a 'php security tutorial' to get the basic security concepts & typical vulnerables in php.
Re: PHP Contact form, being exploited?
Posted: Wed Nov 19, 2008 3:01 pm
by montanaflynn
Those are the only scripts on the sites. However my host believes it has to do with the scripts because those sites are on a server with a lot of sites that are not affected by this tgz file. What would the next step be? We have changed my ftp passwords and it happened again. Maybe my computer has a keylogger or some virus? I use mac OSX 10.4.11 for designing my sites.
No php includes that I saw in those scripts... I use this on my html page to call the script.
Code: Select all
<form method="POST" action="http://www.mysite.com/form/mailer.php" onsubmit="return validate_form(this)" id="myform" class="cssform">
Re: PHP Contact form, being exploited?
Posted: Wed Nov 19, 2008 4:32 pm
by andyhoneycutt
I see no vulnerabilities that could lead to someone uploading and extracting a .tgz from the code you've posted. Is there any other code that you're running than what you've posted?
-Andy
Re: PHP Contact form, being exploited?
Posted: Thu Nov 20, 2008 3:36 am
by j4IzbInao
Talk with your webhost and get the logfiles, maybe you can check the accesslog and determine which way they have breached your site. It's a bit of a hopeless task to try to figure out what's wrong if you can't find out the way they've entered.
Re: PHP Contact form, being exploited?
Posted: Thu Nov 20, 2008 3:52 am
by Eran
Since you don't filter the subject you are vulnerable to header injection. You can more on that here -
http://www.php-security.org/MOPB/MOPB-34-2007.html
Re: PHP Contact form, being exploited?
Posted: Mon Nov 24, 2008 1:04 pm
by matthijs
Since all arguments of the mail() function are exploitable
In articles about email injection one usually only reads about header injection in the additional header parameter. Unfortunately this and the previous vulnerability proof that all parameters of the mail() function are suspect to email injection problems
http://www.php-security.org/MOPB/MOPB-34-2007.html
How are people validating the form fields you use in the third argument (the $message)
Code: Select all
bool mail ( string $to , string $subject , string $message [, string $additional_headers [, string $additional_parameters ]] )
Since a regular text field in a (contact) form may usually contain almost all characters. Including newlines. How do you prevent header injection in that field?
Re: PHP Contact form, being exploited?
Posted: Mon Nov 24, 2008 5:22 pm
by montanaflynn
Well I have some javascript validation going on, not exactly the greatest since anyone could turn that off! How would I go about adding some more validation to the fields?
Re: PHP Contact form, being exploited?
Posted: Mon Nov 24, 2008 6:29 pm
by Eran
Client side validation can not be trusted, as requests can easily be sent directly to the PHP script. Client side validation is for user convience only, you should implement server side validation and filtering (ie, in PHP).