473,701 Members | 2,638 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Email injection on a contact form

Hello,

One problem that I had been having is stopping email injections on
contact forms. I did some research, read up on it and felt like I had
created a working solution. I hadn't gotten any suspicious bouncebacks
in quite some time and got many custom alerts I had set up for
notifying me of injection attempts. However, just the other day, I got
a bounceback from an AOL address which leads me to believe that an
injection attempt was successful. I was hoping that someone here could
help me out.

Here is the code that I am using to check for injections:

function containsInjecti onAttempt($inpu t) {
if (eregi("\r", $input) ||
eregi("\n", $input) ||
eregi("%0a", $input) ||
eregi("%0d", $input) ||
eregi("Content-Type:", $input) ||
eregi("bcc:", $input) ||
eregi("to:", $input) ||
eregi("cc:", $input)) {
return true;
} // end of if
else {
return false;
} // end of else
} // end of containsInjecti onAttempt function

// Check for injection attempts
if (containsInject ionAttempt($_PO ST['userName']) ||
containsInjecti onAttempt($_POS T['address']) ||
containsInjecti onAttempt($_POS T['address2'])
|| containsInjecti onAttempt($_POS T['city']) ||
containsInjecti onAttempt($_POS T['zip']) ||
containsInjecti onAttempt($_POS T['phone'])
|| containsInjecti onAttempt($_POS T['email'])) {
// There has been an injection attempt
while (list($key, $value) = each($_POST)) {
$message .= $key.": ".$value."\ n";
} // end of while
mail ("me@test.co m", "Injection attempt on Web Site", $message,
"From: in**@website.co m");
$mailSuccess = 1;
} // end of if

Then, if the mailSuccess variable is set to 1, it sends out the email.
There is also a comments textarea that I do not run through the
injection check. It is my (possibly incorrect?) understanding that
anything going into the message body does not need to be checked for an
injection attempt since it should not be able to affect the headers. A
problem with checking a textarea against the injection check would be
that it would mark most legitimate messages as injections since it
looks for \r and \n. At least this is my understanding.

I was wondering if someone could tell me if there is a vulnerability in
the code and, if so, if there is a way to patch it. Thanks so much for
your help! This has been a frustrating problem that I thought I had
solved.

Scott

Aug 6 '06 #1
8 3806
st******@integr astrategic.com wrote:

notifying me of injection attempts. However, just the other day, I got
a bounceback from an AOL address which leads me to believe that an
injection attempt was successful. I was hoping that someone here could
help me out.

Are you sure it is your PHP code, I think my email address must be used as a
fron or reply-to address by spammers now and again as I get bounce messages
every so often and I don't have any publically accesable php code that
could be subjected to email / php / mysql injection.

Pete
--
http://www.petezilla.co.uk
Aug 6 '06 #2
Peter Chant <pe**@petezilla .co.ukwrote:
st******@integr astrategic.com wrote:
>notifying me of injection attempts. However, just the other day, I got
a bounceback from an AOL address which leads me to believe that an
injection attempt was successful. I was hoping that someone here could
help me out.

Are you sure it is your PHP code, I think my email address must be used as a
fron or reply-to address by spammers now and again as I get bounce messages
every so often and I don't have any publically accesable php code that
could be subjected to email / php / mysql injection.
You can sign up for notifications from AOL which are based on the IP
address of your server. So then there is no question whether or not you
are responsible.

miguel
--
Photos from 40 countries on 5 continents: http://travel.u.nu
Latest photos: Malaysia; Thailand; Singapore; Spain; Morocco
Airports of the world: http://airport.u.nu
Aug 6 '06 #3
st******@integr astrategic.com wrote:
One problem that I had been having is stopping email injections on
contact forms. I did some research, read up on it and felt like I had
created a working solution. I hadn't gotten any suspicious bouncebacks
in quite some time and got many custom alerts I had set up for
notifying me of injection attempts. However, just the other day, I got
a bounceback from an AOL address which leads me to believe that an
injection attempt was successful. I was hoping that someone here could
help me out.

Here is the code that I am using to check for injections:

function containsInjecti onAttempt($inpu t) {
if (eregi("\r", $input) ||
eregi("\n", $input) ||
eregi("%0a", $input) ||
eregi("%0d", $input) ||
eregi("Content-Type:", $input) ||
eregi("bcc:", $input) ||
eregi("to:", $input) ||
eregi("cc:", $input)) {
return true;
} // end of if
else {
return false;
} // end of else
} // end of containsInjecti onAttempt function

// Check for injection attempts
if (containsInject ionAttempt($_PO ST['userName']) ||
containsInjecti onAttempt($_POS T['address']) ||
containsInjecti onAttempt($_POS T['address2'])
|| containsInjecti onAttempt($_POS T['city']) ||
containsInjecti onAttempt($_POS T['zip']) ||
containsInjecti onAttempt($_POS T['phone'])
|| containsInjecti onAttempt($_POS T['email'])) {
// There has been an injection attempt
while (list($key, $value) = each($_POST)) {
$message .= $key.": ".$value."\ n";
} // end of while
mail ("me@test.co m", "Injection attempt on Web Site", $message,
"From: in**@website.co m");
$mailSuccess = 1;
} // end of if

Then, if the mailSuccess variable is set to 1, it sends out the email.
There is also a comments textarea that I do not run through the
injection check. It is my (possibly incorrect?) understanding that
anything going into the message body does not need to be checked for an
injection attempt since it should not be able to affect the headers. A
problem with checking a textarea against the injection check would be
that it would mark most legitimate messages as injections since it
looks for \r and \n. At least this is my understanding.
It looks to me like you are checking a bunch of stuff you don't need to
- do any of userName, address, address2, city, zip, phone, or email end
up in the headers of the message you send out? I would assume they all
end up in the body.

What you need to look at would be the stuff that does go into the
headers - a likely suspect would be anything used to build the Subject.

If you build a "From:" header from the userName or email values then you
do need to check those.

miguel
--
Photos from 40 countries on 5 continents: http://travel.u.nu
Latest photos: Malaysia; Thailand; Singapore; Spain; Morocco
Airports of the world: http://airport.u.nu
Aug 6 '06 #4
Hello Miguel,

You're right - I probably am checking more than I need to but I figured
it didn't hurt to check those inputs and I was trying to make sure I
wasn't missing anything. Here is a copy of the message from the
bounceback that I got from the server. To me, it looks like a
successful injection attempt.

Return-Path: <an*******@arth ur.website.com>
Received: (qmail 13669 invoked by uid 48); 5 Aug 2006 09:20:32 -0400
Date: 5 Aug 2006 09:20:32 -0400
Message-ID: <20************ ************@ar thur.website.co m>
To: in**@website.co m
Subject: Inquiry from website Web site:
From: to@arthur.websi te.com
Content-Transfer-Encoding: 8bit

Content-Type: text/plain

Subject: for the content of


in violation of applicable laws.



c38c84c3c20b7d2 88cf34180343fc7 4f

..

<eg***********@ website.com>

userName: to

Content-Transfer-Encoding: 8bit

Content-Type: text/plain

Subject: for the content of

bcc: bu*******@aol.c om

in violation of applicable laws.

---------------------------------------------------

The email message also contained this error:

Hi. This is the qmail-send program at arthur.integras trategic.com.
I'm afraid I wasn't able to deliver your message to the following
addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<bu*******@aol. com>:
64.12.138.152 failed after I sent the message.
Remote host said: 554-: (RLY:CS4)
http://postmaster.info.aol.com/errors/554rlycs4.html
554 TRANSACTION FAILED

--------------------------------------------

Does this look like a successful injection into the From field? I check
both the email address and name for an injection attempt. Then I create
the email like this:

// Send the email
$subject = "Inquiry from Web site: $_POST[topic]";
if (strlen($_POST[userName]) 0) {
$message .= "Name: $_POST[userName]\n";
} // end of if
if (strlen($_POST[address]) 0) {
$message .= "Address: $_POST[address]\n";
} // end of if
if (strlen($_POST[address2]) 0) {
$message .= "Address 2: $_POST[address2]\n";
} // end of if
if (strlen($_POST[city]) 0) {
$message .= "Name: $_POST[city]\n";
} // end of if
if (strlen($_POST[state]) 0) {
$message .= "State: $_POST[state]\n";
} // end of if
if (strlen($_POST[zip]) 0) {
$message .= "Zip: $_POST[zip]\n";
} // end of if
if (strlen($_POST[phone]) 0) {
$message .= "Phone: $_POST[phone]\n\n";
} // end of if
if (strlen($_POST[comments]) 0) {
$message .= "Comments: ".str_replace(" \r", "",
$_POST[comments])."\n";
} // end of if
if (strlen($_POST[email]) 0) {
$from = "$_POST[userName] <$_POST[email]>";
} // end of if
else {
$from = "Website <in**@website.c om>";
} // end of else
$message = stripslashes($m essage);
mail ("in**@website. com", $subject, $message, "From: ".$from);

So, the from is created via the userName and email variables which are
checked with the injection check. Can anyone see a flaw that would
allow someone to create an email like the one that bounced back?

Thanks so much for your help. I really appreciate the input so far.

Sincerely,
Scott

Miguel Cruz wrote:
st******@integr astrategic.com wrote:
One problem that I had been having is stopping email injections on
contact forms. I did some research, read up on it and felt like I had
created a working solution. I hadn't gotten any suspicious bouncebacks
in quite some time and got many custom alerts I had set up for
notifying me of injection attempts. However, just the other day, I got
a bounceback from an AOL address which leads me to believe that an
injection attempt was successful. I was hoping that someone here could
help me out.

Here is the code that I am using to check for injections:

function containsInjecti onAttempt($inpu t) {
if (eregi("\r", $input) ||
eregi("\n", $input) ||
eregi("%0a", $input) ||
eregi("%0d", $input) ||
eregi("Content-Type:", $input) ||
eregi("bcc:", $input) ||
eregi("to:", $input) ||
eregi("cc:", $input)) {
return true;
} // end of if
else {
return false;
} // end of else
} // end of containsInjecti onAttempt function

// Check for injection attempts
if (containsInject ionAttempt($_PO ST['userName']) ||
containsInjecti onAttempt($_POS T['address']) ||
containsInjecti onAttempt($_POS T['address2'])
|| containsInjecti onAttempt($_POS T['city']) ||
containsInjecti onAttempt($_POS T['zip']) ||
containsInjecti onAttempt($_POS T['phone'])
|| containsInjecti onAttempt($_POS T['email'])) {
// There has been an injection attempt
while (list($key, $value) = each($_POST)) {
$message .= $key.": ".$value."\ n";
} // end of while
mail ("me@test.co m", "Injection attempt on Web Site", $message,
"From: in**@website.co m");
$mailSuccess = 1;
} // end of if

Then, if the mailSuccess variable is set to 1, it sends out the email.
There is also a comments textarea that I do not run through the
injection check. It is my (possibly incorrect?) understanding that
anything going into the message body does not need to be checked for an
injection attempt since it should not be able to affect the headers. A
problem with checking a textarea against the injection check would be
that it would mark most legitimate messages as injections since it
looks for \r and \n. At least this is my understanding.

It looks to me like you are checking a bunch of stuff you don't need to
- do any of userName, address, address2, city, zip, phone, or email end
up in the headers of the message you send out? I would assume they all
end up in the body.

What you need to look at would be the stuff that does go into the
headers - a likely suspect would be anything used to build the Subject.

If you build a "From:" header from the userName or email values then you
do need to check those.

miguel
--
Photos from 40 countries on 5 continents: http://travel.u.nu
Latest photos: Malaysia; Thailand; Singapore; Spain; Morocco
Airports of the world: http://airport.u.nu
Aug 7 '06 #5
st******@integr astrategic.com wrote:
You're right - I probably am checking more than I need to but I figured
it didn't hurt to check those inputs and I was trying to make sure I
wasn't missing anything. Here is a copy of the message from the
bounceback that I got from the server. To me, it looks like a
successful injection attempt.
Does look suspiciously that way.
// Send the email
$subject = "Inquiry from Web site: $_POST[topic]";
if (strlen($_POST[userName]) 0) {
$message .= "Name: $_POST[userName]\n";
} // end of if
if (strlen($_POST[address]) 0) {
$message .= "Address: $_POST[address]\n";
} // end of if
if (strlen($_POST[address2]) 0) {
$message .= "Address 2: $_POST[address2]\n";
} // end of if
if (strlen($_POST[city]) 0) {
$message .= "Name: $_POST[city]\n";
} // end of if
if (strlen($_POST[state]) 0) {
$message .= "State: $_POST[state]\n";
} // end of if
if (strlen($_POST[zip]) 0) {
$message .= "Zip: $_POST[zip]\n";
} // end of if
if (strlen($_POST[phone]) 0) {
$message .= "Phone: $_POST[phone]\n\n";
} // end of if
if (strlen($_POST[comments]) 0) {
$message .= "Comments: ".str_replace(" \r", "",
$_POST[comments])."\n";
} // end of if
if (strlen($_POST[email]) 0) {
$from = "$_POST[userName] <$_POST[email]>";
} // end of if
else {
$from = "Website <in**@website.c om>";
} // end of else
$message = stripslashes($m essage);
mail ("in**@website. com", $subject, $message, "From: ".$from);

So, the from is created via the userName and email variables which are
checked with the injection check. Can anyone see a flaw that would
allow someone to create an email like the one that bounced back?
I think you could make life much simpler by just doing this, and only
leaving in the characters you know are safe and useful for names and
email addresses, and trimming each down to 50 characters for good
measure:

function clean_header_da ta($str)
{
return substr(preg_rep lace('/[^\w .@+\-]/', '', $str), 0, 50);
}

Then you can do

$from = clean_header_da ta($_POST['userName']) . ' <' .
clean_header_da ta($_POST['email']) . '>';

Likewise do it with $subject because $_POST['topic'] is untrustworthy.

After that there's very little way for anything to sneak through.

--
Photos from 40 countries on 5 continents: http://travel.u.nu
Latest photos: Malaysia; Thailand; Singapore; Spain; Morocco
Airports of the world: http://airport.u.nu
Aug 7 '06 #6
st******@integr astrategic.com wrote:
Hello Miguel,

You're right - I probably am checking more than I need to but I figured
it didn't hurt to check those inputs and I was trying to make sure I
wasn't missing anything. Here is a copy of the message from the
bounceback that I got from the server. To me, it looks like a
successful injection attempt.
You should also check the message for BCC, CC, etc. I had a problem in
which the injection attack was being successfully done in the message
body part of my contact form.

-Steven
Aug 7 '06 #7
Steven Musumeche <st************ *@yahoo.comwrot e:
st******@integr astrategic.com wrote:
>You're right - I probably am checking more than I need to but I
figured it didn't hurt to check those inputs and I was trying to
make sure I wasn't missing anything. Here is a copy of the message
from the bounceback that I got from the server. To me, it looks like
a successful injection attempt.

You should also check the message for BCC, CC, etc. I had a problem in
which the injection attack was being successfully done in the message
body part of my contact form.
Really? That shouldn't happen. If that works, then I could just send you
an email with a thousand extra bcc's and your defective mail server
would spam for me, no need for a PHP hole.

miguel
--
Photos from 40 countries on 5 continents: http://travel.u.nu
Latest photos: Malaysia; Thailand; Singapore; Spain; Morocco
Airports of the world: http://airport.u.nu
Aug 7 '06 #8
Hello Miguel and Steven,

That's what I thought too - that something put into the body should not
be able to affect the headers of the email. But I don't see how else
this injection could have been done except through the message body
since that is the only object I wasn't checking for an injection
attempt (and the script caught a bunch of other attempts made through
other fields). I've thought about removing the checks for line breaks
and just looking for cc: and bcc: and then including the message body
but I didn't know if that would open me up at all.

Thank you for the tips. I will put them into place. Though if the
injection is through the body (does anyone else think this is
possible?) then using Miguel's clean_header_da ta wouldn't stop the
injection since it is going through the other form element.

Thanks again!

Sincerely,
Scott

Miguel Cruz wrote:
Steven Musumeche <st************ *@yahoo.comwrot e:
st******@integr astrategic.com wrote:
You're right - I probably am checking more than I need to but I
figured it didn't hurt to check those inputs and I was trying to
make sure I wasn't missing anything. Here is a copy of the message
from the bounceback that I got from the server. To me, it looks like
a successful injection attempt.
You should also check the message for BCC, CC, etc. I had a problem in
which the injection attack was being successfully done in the message
body part of my contact form.

Really? That shouldn't happen. If that works, then I could just send you
an email with a thousand extra bcc's and your defective mail server
would spam for me, no need for a PHP hole.

miguel
--
Photos from 40 countries on 5 continents: http://travel.u.nu
Latest photos: Malaysia; Thailand; Singapore; Spain; Morocco
Airports of the world: http://airport.u.nu
Aug 7 '06 #9

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

0
1821
by: ThisIsMe | last post by:
I am using this php email form and it seems to work. But I would like for the option for attn$ Webmaster to go to a different email address than the mymail$ Please be Kind to us newbies... can someone modify this and resend it so I can have the form send to 2 different email addresses? Or maybe three if that is possible determined by what attn$ option is used.
10
1843
by: xmp333 | last post by:
Hello, A spammer is apparently using email injection on my form, however my I thought email injection requires mainpulation of the headers parameter in mail() and I'm not using that parameter. My mail call looks like: mail($to,$subj,$body) So how is the spammer getting me? Is mail() translating to a raw
5
1837
by: mantrid | last post by:
Up to the other day I have not bothered protecting my php script on my feedback form against email injection. Howerver, i have had a spammer using it to insert email addresses as cc: bc: into my email field. First I was puzzled why he was doing it as the message being sent was just jibberish. I have recently used a function to protect these fields and send an email back to myself with his details. function below function...
13
2281
by: bill | last post by:
MySQL newbie, not new to computing. In my application I accept photos and data, some structured and some free text. I store the information (but not the images) in a MySQL database and then from that information I construct a web page for the user. The images are always displayed within an <img tag. The text is displayed as part of the web page, within <ptags.
2
5632
by: Malli mindwave | last post by:
Hi, We are using the yahoowebHostiing service for my company website, In that one screen of the SendComments/FeedBack section is there, I'm basically dot.net develeoper ,but yahoowebhosting not support .asp,.aspx files, it supports PHP files, I'm searching in JavaScript ,but not found any matter, I'don't Know PHP.I'm having lot of pressure of higer officials.Please help me on this.
2
1819
by: runway27 | last post by:
i am helping a friend to build a forum website which uses php and mysql database. i am working on the registeration page for the forum website and its validation. i am using php 5.2.5 i am able to validate and do other tasks, however i really need help as i am stuck with regards to database injection. please answer the following questions. any help will be greatly appreciated. 1. USER NAME VALIDATION username = eregi("^+$",...
2
2224
by: Sudhakar | last post by:
A) validating username in php as part of a registration form a user fills there desired username and this is stored in a mysql. there are certain conditions for the username. a) the username should only begin either letters or numbers, and Underscore character example = user123, 123user, u_ser123, user_123 = completely case insensitive
2
2315
by: sindhudixit | last post by:
Hey, I am having a user fill out a form then the fields are going to uploaded to my database. So, at this point, when the user hits the submit button I want three things to happen: 1. The form uploads to a database (the following code does this) 2. An e-mail is sent to my sales team as well as the customer, which contains the form values . 3. I want the user to then be directed automatically to another webpage, after they hit the...
2
2271
by: ssmeshack | last post by:
Hai there, I have doing php code for form data to be send to email. But it is showing... Here is my code for html form... <body>
0
8736
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
0
8649
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
0
9083
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
0
7824
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
1
6571
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
0
4410
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
0
4662
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
1
3102
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
2
2398
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.