Hello,
A spammer is apparently using email injection on my form, however my I
thought email injection requires mainpulation of the headers parameter
in mail() and I'm not using that parameter. My mail call looks like:
mail($to,$subj, $body)
So how is the spammer getting me? Is mail() translating to a raw
stream so that headers can be inserted in the body, or is there some
kind of buffer overflow that can be exploited? Since I'm using dynamic
variables, I can't see how this would occur, but then I'm no PHP
expert.
Any help would be greatly appreciated. I know beefing up input
validation should take care of this, but I want to understand what the
spammer is doing so I can reproduce and validate this fix.
Thanks in advance. 10 1856 xm****@yahoo.co m wrote: Hello,
A spammer is apparently using email injection on my form, however my I thought email injection requires mainpulation of the headers parameter in mail() and I'm not using that parameter. My mail call looks like:
mail($to,$subj, $body)
So how is the spammer getting me? Is mail() translating to a raw stream so that headers can be inserted in the body, or is there some kind of buffer overflow that can be exploited? Since I'm using dynamic variables, I can't see how this would occur, but then I'm no PHP expert.
Any help would be greatly appreciated. I know beefing up input validation should take care of this, but I want to understand what the spammer is doing so I can reproduce and validate this fix.
Hi,
Log $to, $subj, $body somewhere (flatfile or database).
Check after spamming what the spammer did.
You can probably find many resources on the net adressing this issue, but
first you need to know WHAT you excactly are calling with the mail().
Regards,
Erwin Moller
Thanks in advance.
>A spammer is apparently using email injection on my form, however my I thought email injection requires mainpulation of the headers parameter in mail() and I'm not using that parameter. My mail call looks like:
mail($to,$subj ,$body)
So how is the spammer getting me?
Are the contents of $to and $subj in any way whatever dependent
on form input? Is there any way either of those variables could
be made to contain a newline or carriage return? If so, that's
how they are doing it. Remember, the spammer NEED NOT use your
form so any Javascript checking is useless.
Look at the headers of any mail message, and consider what
happens if $subj = "Make Money fast\r\nCc: sp****@aol.com".
Gordon L. Burditt
Gordon Burditt wrote: Are the contents of $to and $subj in any way whatever dependent on form input? Is there any way either of those variables could be made to contain a newline or carriage return? If so, that's how they are doing it. Remember, the spammer NEED NOT use your form so any Javascript checking is useless.
Look at the headers of any mail message, and consider what happens if $subj = "Make Money fast\r\nCc: sp****@aol.com".
Gordon L. Burditt
$to is not dependent on form input, but $subj is. This explains it --
I wanted to make sure because all the information I found on email
injection stated the header was used to mainpulate the form. However,
knowing what I know of mail() and Unix in general, it seemed possible
to inject arbitrary headers elsewhere if the parameters were simply
appended and the call translated to a raw text stream anyway, which
looks like the case.
Thanks.
Erwin Moller wrote: xm****@yahoo.co m wrote:
Hello,
A spammer is apparently using email injection on my form, however my I thought email injection requires mainpulation of the headers parameter in mail() and I'm not using that parameter. My mail call looks like:
mail($to,$subj, $body)
So how is the spammer getting me? Is mail() translating to a raw stream so that headers can be inserted in the body, or is there some kind of buffer overflow that can be exploited? Since I'm using dynamic variables, I can't see how this would occur, but then I'm no PHP expert.
Any help would be greatly appreciated. I know beefing up input validation should take care of this, but I want to understand what the spammer is doing so I can reproduce and validate this fix.
Hi,
Log $to, $subj, $body somewhere (flatfile or database). Check after spamming what the spammer did.
And while you're at it, don't forget to include the IP address of the
offender as well (environmental variable REMOTE_ADDR).
--
Kim André Akerĝ
- ki******@NOSPAM betadome.com
(remove NOSPAM to contact me directly) xm****@yahoo.co m wrote: A spammer is apparently using email injection on my form, however my I thought email injection requires mainpulation of the headers parameter in mail() and I'm not using that parameter. My mail call looks like:
mail($to,$subj, $body)
So how is the spammer getting me? Is mail() translating to a raw stream so that headers can be inserted in the body, or is there some kind of buffer overflow that can be exploited? Since I'm using dynamic variables, I can't see how this would occur, but then I'm no PHP expert.
Any help would be greatly appreciated. I know beefing up input validation should take care of this, but I want to understand what the spammer is doing so I can reproduce and validate this fix.
Some things that I like to do when processing forms...
On the page that has the form, generate some kind of token, store and
send with request:
<?php
session_start() ;
$token = md5('my secret'.microti me().'other secret');
$_SESSION['token'] = $token;
echo '<input type="hidden" name="token" value="',$token ,'" />";
?>
on the receiving page...
<?php
session_start() ;
if(isset($_POST['token']) && $_SESSION['token']==$_POST['token']){
// this POST request should be a submission of my form, not a spoof
}else{
// the form submission was spoofed...
}
?>
In addition to that, I also do some flat-out rejection stuff as well...
Since I know the fields and what to expect, I run this test on all
fields that should NOT contain a line break of any type:
if(preg_match(' `[\r\n]`',$_POST['fieldname'])){
// here, we found a newline or carriage return
// corrupted data should be set to empty string
$_POST['fieldname']='';
// decide how to handle this condition...
}
Most of the time if I find this, I'll report an error and ask for
resubmission, but in some cases (depending on the application) I will
simply kill execution.
--
Justin Koivisto, ZCE - ju****@koivi.co m http://koivi.com
>> Are the contents of $to and $subj in any way whatever dependent on form input? Is there any way either of those variables could be made to contain a newline or carriage return? If so, that's how they are doing it. Remember, the spammer NEED NOT use your form so any Javascript checking is useless.
Look at the headers of any mail message, and consider what happens if $subj = "Make Money fast\r\nCc: sp****@aol.com".
Gordon L. Burditt $to is not dependent on form input, but $subj is. This explains it -- I wanted to make sure because all the information I found on email injection stated the header was used to mainpulate the form.
The subject *IS* a header. If it's not in the body of the
message, it's a header.
However, knowing what I know of mail() and Unix in general, it seemed possible to inject arbitrary headers elsewhere if the parameters were simply appended and the call translated to a raw text stream anyway, which looks like the case.
Mail is always transmitted as a text stream. That's what mail is.
You cannot inject headers after the first blank line (which separates
the headers from the body). $to, $subj, and $additional_hea ders
are headers.
Go to the page for the mail() function on php.net. Note that the
subject parameter is described as "This must not contain any newline
characters, or the mail may not be sent properly". Consider this
as something you *MUST ENFORCE*. Not mentioned are carriage return
characters, which also need to be eliminated. And don't remove the
offending characters. DON'T SEND THE MAIL, PERIOD. Provide the
user a nice message that he's a spammer and he's going to burn
in hell for a googol eternities.
If your ISP does not run *OUTGOING* mail through SpamAssassin and
an antivirus program, YOU should before sending it.
Gordon L. Burditt
This question has also come up recently in news.admin.net-abuse.email so I
have cross posted the following excellent answer to nanae.
In response to a question about the recent control character/bcc: injection
epidemic in web mail forms, Justin Koivisto <ju****@koivi.c om> posted in
comp.lang.php and php.general: Some things that I like to do when processing forms...
On the page that has the form, generate some kind of token, store and send with request:
<?php session_start() ; $token = md5('my secret'.microti me().'other secret'); $_SESSION['token'] = $token; echo '<input type="hidden" name="token" value="',$token ,'" />"; ?>
on the receiving page...
<?php session_start() ; if(isset($_POST['token']) && $_SESSION['token']==$_POST['token']){ // this POST request should be a submission of my form, not a spoof }else{ // the form submission was spoofed... } ?>
In addition to that, I also do some flat-out rejection stuff as well... Since I know the fields and what to expect, I run this test on all fields that should NOT contain a line break of any type:
if(preg_match(' `[\r\n]`',$_POST['fieldname'])){ // here, we found a newline or carriage return // corrupted data should be set to empty string $_POST['fieldname']='';
// decide how to handle this condition... }
Most of the time if I find this, I'll report an error and ask for resubmission, but in some cases (depending on the application) I will simply kill execution.
-- Justin Koivisto, ZCE - ju****@koivi.co m http://koivi.com
-=-
This message was sent via two or more anonymous remailing services.
This question has come up in news.admin.net-abuse.email so I have cross
copied your answer there.
Thank you for some excellent suggestions.
In response to a question about the recent control character/bcc: injection
epidemic in web mail forms, Justin Koivisto <ju****@koivi.c om> posted in
comp.lang.php and php.general: Some things that I like to do when processing forms...
On the page that has the form, generate some kind of token, store and send with request:
<?php session_start() ; $token = md5('my secret'.microti me().'other secret'); $_SESSION['token'] = $token; echo '<input type="hidden" name="token" value="',$token ,'" />"; ?>
on the receiving page...
<?php session_start() ; if(isset($_POST['token']) && $_SESSION['token']==$_POST['token']){ // this POST request should be a submission of my form, not a spoof }else{ // the form submission was spoofed... } ?>
In addition to that, I also do some flat-out rejection stuff as well... Since I know the fields and what to expect, I run this test on all fields that should NOT contain a line break of any type:
if(preg_match(' `[\r\n]`',$_POST['fieldname'])){ // here, we found a newline or carriage return // corrupted data should be set to empty string $_POST['fieldname']='';
// decide how to handle this condition... }
Most of the time if I find this, I'll report an error and ask for resubmission, but in some cases (depending on the application) I will simply kill execution.
-- Justin Koivisto, ZCE - ju****@koivi.co m http://koivi.com
REMOTE_ADDR will only show the proxy IP use X-Forwarder for that matter.
--
Geeks Home www.fahimzahid.com
"Kim André Akerĝ" <ki******@NOSPA Mbetadome.com> wrote in message
news:40******** *****@individua l.net... Erwin Moller wrote:
xm****@yahoo.co m wrote:
Hello,
A spammer is apparently using email injection on my form, however my I thought email injection requires mainpulation of the headers parameter in mail() and I'm not using that parameter. My mail call looks like:
mail($to,$subj, $body)
So how is the spammer getting me? Is mail() translating to a raw stream so that headers can be inserted in the body, or is there some kind of buffer overflow that can be exploited? Since I'm using dynamic variables, I can't see how this would occur, but then I'm no PHP expert.
Any help would be greatly appreciated. I know beefing up input validation should take care of this, but I want to understand what the spammer is doing so I can reproduce and validate this fix.
Hi,
Log $to, $subj, $body somewhere (flatfile or database). Check after spamming what the spammer did.
And while you're at it, don't forget to include the IP address of the offender as well (environmental variable REMOTE_ADDR).
-- Kim André Akerĝ - ki******@NOSPAM betadome.com (remove NOSPAM to contact me directly) This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: wayne |
last post by:
I have a PHP email script running on two separate websites. Today, I
received a form mail generated by the script from each site, with time
stamps 10 minutes apart. The entered email address in each form is the
same, but the REMOTE_ADDR reported is different.
Doing a search of the IP Addresses generates many hits, the user
apparently posts to many news groups.
The postal address entered is in MA while the IP Address from the first...
|
by: stirrell |
last post by:
Hello,
One problem that I had been having is stopping email injections on
contact forms. I did some research, read up on it and felt like I had
created a working solution. I hadn't gotten any suspicious bouncebacks
in quite some time and got many custom alerts I had set up for
notifying me of injection attempts. However, just the other day, I got
a bounceback from an AOL address which leads me to believe that an
injection attempt was...
|
by: ianbarton |
last post by:
Hello all
I am trying to setup a feedback form on my webpage using some script
provided by my ISP. I really don't know a lot about PHP and it's syntax
etc.
The feedback form only has 4 fields. These are UserName, UserEmail,
UserCountry & Comments. It works well with all of those fields
appearing in the body of an email that is sent to me. What I would now
like is for the UserEmail field to appear in the "From:" field in the
|
by: mantrid |
last post by:
Up to the other day I have not bothered protecting my php script on my
feedback form against email injection. Howerver, i have had a spammer using
it to insert email addresses as cc: bc: into my email field. First I was
puzzled why he was doing it as the message being sent was just jibberish. I
have recently used a function to protect these fields and send an email back
to myself with his details. function below
function...
|
by: Malli mindwave |
last post by:
Hi,
We are using the yahoowebHostiing service for my company website, In
that one screen of the SendComments/FeedBack section is there, I'm
basically dot.net develeoper ,but yahoowebhosting not
support .asp,.aspx files, it supports PHP files,
I'm searching in JavaScript ,but not found any matter,
I'don't Know PHP.I'm having lot of pressure of higer officials.Please
help me on this.
| |
by: runway27 |
last post by:
i have implemented a way to avoid sql injection from the php website from this url
http://in.php.net/mysql_real_escape_string from the "Example #3 A "Best Practice" query" section of this page
following are the steps i have followed after the form values are submitted to a php file.
step 1.
if(get_magic_quotes_gpc())
{
$username = stripslashes($_POST);
|
by: r_ahimsa_m |
last post by:
Hello,
I am learning PHP5 and www technologies.
I would like to send email from .php script. The email will contain HTML
with images (BMP, GIF, JPEG) and movies (MPEG) included.
I have a question: how can I include images and movies (which tags should I
use?).
Can I do it using mail() function? I would prefer mail() than PEAR because I
am not sure if I will have PEAR on server.
|
by: RJ_32 |
last post by:
looking here:
http://www.devarticles.com/c/a/PHP/Getting-Intimate-With-PHPs-Mail-Function/2/
it says that I have to be careful about what I send to the sendmail process
via popen(). Does that also apply to the Subject: line?
(I'm opening a process rather than simply using mail() so that I can set the
return-path header with sendmail's -f switch and catch bounces.)
My From: and To: are hardcoded and *not* taken from any webform...
|
by: Jeff |
last post by:
I'm writing my php "form mail" script.
Does mail do any checking for header injection in the "to" and
"subject" parameters? CR and/or LF? It seems to me it easily could and
should, but does it?
Jeff
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
| |
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |