Hello,
A spammer is apparently using email injection on my form, however my I
thought email injection requires mainpulation of the headers parameter
in mail() and I'm not using that parameter. My mail call looks like:
mail($to,$subj,$body)
So how is the spammer getting me? Is mail() translating to a raw
stream so that headers can be inserted in the body, or is there some
kind of buffer overflow that can be exploited? Since I'm using dynamic
variables, I can't see how this would occur, but then I'm no PHP
expert.
Any help would be greatly appreciated. I know beefing up input
validation should take care of this, but I want to understand what the
spammer is doing so I can reproduce and validate this fix.
Thanks in advance. 10 1811 xm****@yahoo.com wrote: Hello,
A spammer is apparently using email injection on my form, however my I thought email injection requires mainpulation of the headers parameter in mail() and I'm not using that parameter. My mail call looks like:
mail($to,$subj,$body)
So how is the spammer getting me? Is mail() translating to a raw stream so that headers can be inserted in the body, or is there some kind of buffer overflow that can be exploited? Since I'm using dynamic variables, I can't see how this would occur, but then I'm no PHP expert.
Any help would be greatly appreciated. I know beefing up input validation should take care of this, but I want to understand what the spammer is doing so I can reproduce and validate this fix.
Hi,
Log $to, $subj, $body somewhere (flatfile or database).
Check after spamming what the spammer did.
You can probably find many resources on the net adressing this issue, but
first you need to know WHAT you excactly are calling with the mail().
Regards,
Erwin Moller
Thanks in advance.
>A spammer is apparently using email injection on my form, however my I thought email injection requires mainpulation of the headers parameter in mail() and I'm not using that parameter. My mail call looks like:
mail($to,$subj,$body)
So how is the spammer getting me?
Are the contents of $to and $subj in any way whatever dependent
on form input? Is there any way either of those variables could
be made to contain a newline or carriage return? If so, that's
how they are doing it. Remember, the spammer NEED NOT use your
form so any Javascript checking is useless.
Look at the headers of any mail message, and consider what
happens if $subj = "Make Money fast\r\nCc: sp****@aol.com".
Gordon L. Burditt
Gordon Burditt wrote: Are the contents of $to and $subj in any way whatever dependent on form input? Is there any way either of those variables could be made to contain a newline or carriage return? If so, that's how they are doing it. Remember, the spammer NEED NOT use your form so any Javascript checking is useless.
Look at the headers of any mail message, and consider what happens if $subj = "Make Money fast\r\nCc: sp****@aol.com".
Gordon L. Burditt
$to is not dependent on form input, but $subj is. This explains it --
I wanted to make sure because all the information I found on email
injection stated the header was used to mainpulate the form. However,
knowing what I know of mail() and Unix in general, it seemed possible
to inject arbitrary headers elsewhere if the parameters were simply
appended and the call translated to a raw text stream anyway, which
looks like the case.
Thanks.
Erwin Moller wrote: xm****@yahoo.com wrote:
Hello,
A spammer is apparently using email injection on my form, however my I thought email injection requires mainpulation of the headers parameter in mail() and I'm not using that parameter. My mail call looks like:
mail($to,$subj,$body)
So how is the spammer getting me? Is mail() translating to a raw stream so that headers can be inserted in the body, or is there some kind of buffer overflow that can be exploited? Since I'm using dynamic variables, I can't see how this would occur, but then I'm no PHP expert.
Any help would be greatly appreciated. I know beefing up input validation should take care of this, but I want to understand what the spammer is doing so I can reproduce and validate this fix.
Hi,
Log $to, $subj, $body somewhere (flatfile or database). Check after spamming what the spammer did.
And while you're at it, don't forget to include the IP address of the
offender as well (environmental variable REMOTE_ADDR).
--
Kim André Akerĝ
- ki******@NOSPAMbetadome.com
(remove NOSPAM to contact me directly) xm****@yahoo.com wrote: A spammer is apparently using email injection on my form, however my I thought email injection requires mainpulation of the headers parameter in mail() and I'm not using that parameter. My mail call looks like:
mail($to,$subj,$body)
So how is the spammer getting me? Is mail() translating to a raw stream so that headers can be inserted in the body, or is there some kind of buffer overflow that can be exploited? Since I'm using dynamic variables, I can't see how this would occur, but then I'm no PHP expert.
Any help would be greatly appreciated. I know beefing up input validation should take care of this, but I want to understand what the spammer is doing so I can reproduce and validate this fix.
Some things that I like to do when processing forms...
On the page that has the form, generate some kind of token, store and
send with request:
<?php
session_start();
$token = md5('my secret'.microtime().'other secret');
$_SESSION['token'] = $token;
echo '<input type="hidden" name="token" value="',$token,'" />";
?>
on the receiving page...
<?php
session_start();
if(isset($_POST['token']) && $_SESSION['token']==$_POST['token']){
// this POST request should be a submission of my form, not a spoof
}else{
// the form submission was spoofed...
}
?>
In addition to that, I also do some flat-out rejection stuff as well...
Since I know the fields and what to expect, I run this test on all
fields that should NOT contain a line break of any type:
if(preg_match('`[\r\n]`',$_POST['fieldname'])){
// here, we found a newline or carriage return
// corrupted data should be set to empty string
$_POST['fieldname']='';
// decide how to handle this condition...
}
Most of the time if I find this, I'll report an error and ask for
resubmission, but in some cases (depending on the application) I will
simply kill execution.
--
Justin Koivisto, ZCE - ju****@koivi.com http://koivi.com
>> Are the contents of $to and $subj in any way whatever dependent on form input? Is there any way either of those variables could be made to contain a newline or carriage return? If so, that's how they are doing it. Remember, the spammer NEED NOT use your form so any Javascript checking is useless.
Look at the headers of any mail message, and consider what happens if $subj = "Make Money fast\r\nCc: sp****@aol.com".
Gordon L. Burditt $to is not dependent on form input, but $subj is. This explains it -- I wanted to make sure because all the information I found on email injection stated the header was used to mainpulate the form.
The subject *IS* a header. If it's not in the body of the
message, it's a header.
However, knowing what I know of mail() and Unix in general, it seemed possible to inject arbitrary headers elsewhere if the parameters were simply appended and the call translated to a raw text stream anyway, which looks like the case.
Mail is always transmitted as a text stream. That's what mail is.
You cannot inject headers after the first blank line (which separates
the headers from the body). $to, $subj, and $additional_headers
are headers.
Go to the page for the mail() function on php.net. Note that the
subject parameter is described as "This must not contain any newline
characters, or the mail may not be sent properly". Consider this
as something you *MUST ENFORCE*. Not mentioned are carriage return
characters, which also need to be eliminated. And don't remove the
offending characters. DON'T SEND THE MAIL, PERIOD. Provide the
user a nice message that he's a spammer and he's going to burn
in hell for a googol eternities.
If your ISP does not run *OUTGOING* mail through SpamAssassin and
an antivirus program, YOU should before sending it.
Gordon L. Burditt
This question has also come up recently in news.admin.net-abuse.email so I
have cross posted the following excellent answer to nanae.
In response to a question about the recent control character/bcc: injection
epidemic in web mail forms, Justin Koivisto <ju****@koivi.com> posted in
comp.lang.php and php.general: Some things that I like to do when processing forms...
On the page that has the form, generate some kind of token, store and send with request:
<?php session_start(); $token = md5('my secret'.microtime().'other secret'); $_SESSION['token'] = $token; echo '<input type="hidden" name="token" value="',$token,'" />"; ?>
on the receiving page...
<?php session_start(); if(isset($_POST['token']) && $_SESSION['token']==$_POST['token']){ // this POST request should be a submission of my form, not a spoof }else{ // the form submission was spoofed... } ?>
In addition to that, I also do some flat-out rejection stuff as well... Since I know the fields and what to expect, I run this test on all fields that should NOT contain a line break of any type:
if(preg_match('`[\r\n]`',$_POST['fieldname'])){ // here, we found a newline or carriage return // corrupted data should be set to empty string $_POST['fieldname']='';
// decide how to handle this condition... }
Most of the time if I find this, I'll report an error and ask for resubmission, but in some cases (depending on the application) I will simply kill execution.
-- Justin Koivisto, ZCE - ju****@koivi.com http://koivi.com
-=-
This message was sent via two or more anonymous remailing services.
This question has come up in news.admin.net-abuse.email so I have cross
copied your answer there.
Thank you for some excellent suggestions.
In response to a question about the recent control character/bcc: injection
epidemic in web mail forms, Justin Koivisto <ju****@koivi.com> posted in
comp.lang.php and php.general: Some things that I like to do when processing forms...
On the page that has the form, generate some kind of token, store and send with request:
<?php session_start(); $token = md5('my secret'.microtime().'other secret'); $_SESSION['token'] = $token; echo '<input type="hidden" name="token" value="',$token,'" />"; ?>
on the receiving page...
<?php session_start(); if(isset($_POST['token']) && $_SESSION['token']==$_POST['token']){ // this POST request should be a submission of my form, not a spoof }else{ // the form submission was spoofed... } ?>
In addition to that, I also do some flat-out rejection stuff as well... Since I know the fields and what to expect, I run this test on all fields that should NOT contain a line break of any type:
if(preg_match('`[\r\n]`',$_POST['fieldname'])){ // here, we found a newline or carriage return // corrupted data should be set to empty string $_POST['fieldname']='';
// decide how to handle this condition... }
Most of the time if I find this, I'll report an error and ask for resubmission, but in some cases (depending on the application) I will simply kill execution.
-- Justin Koivisto, ZCE - ju****@koivi.com http://koivi.com
REMOTE_ADDR will only show the proxy IP use X-Forwarder for that matter.
--
Geeks Home www.fahimzahid.com
"Kim André Akerĝ" <ki******@NOSPAMbetadome.com> wrote in message
news:40*************@individual.net... Erwin Moller wrote:
xm****@yahoo.com wrote:
Hello,
A spammer is apparently using email injection on my form, however my I thought email injection requires mainpulation of the headers parameter in mail() and I'm not using that parameter. My mail call looks like:
mail($to,$subj,$body)
So how is the spammer getting me? Is mail() translating to a raw stream so that headers can be inserted in the body, or is there some kind of buffer overflow that can be exploited? Since I'm using dynamic variables, I can't see how this would occur, but then I'm no PHP expert.
Any help would be greatly appreciated. I know beefing up input validation should take care of this, but I want to understand what the spammer is doing so I can reproduce and validate this fix.
Hi,
Log $to, $subj, $body somewhere (flatfile or database). Check after spamming what the spammer did.
And while you're at it, don't forget to include the IP address of the offender as well (environmental variable REMOTE_ADDR).
-- Kim André Akerĝ - ki******@NOSPAMbetadome.com (remove NOSPAM to contact me directly)
Java Boy wrote: REMOTE_ADDR will only show the proxy IP use X-Forwarder for that matter.
Of course, it's just a matter of checking whether the X-Forwarder
header is being used. The X-Forwarder header can be forged, though.
REMOTE_ADDR is harder to forge, especially if the originator is seeking
feedback on the successful execution of the script.
Even so, REMOTE_ADDR will give you a starting point when reporting
abuse.
--
Kim André Akerĝ
- ki******@NOSPAMbetadome.com
(remove NOSPAM to contact me directly) This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: wayne |
last post by:
I have a PHP email script running on two separate websites. Today, I
received a form mail generated by the script from each site, with time
stamps 10 minutes apart. The entered email address in...
|
by: stirrell |
last post by:
Hello,
One problem that I had been having is stopping email injections on
contact forms. I did some research, read up on it and felt like I had
created a working solution. I hadn't gotten any...
|
by: ianbarton |
last post by:
Hello all
I am trying to setup a feedback form on my webpage using some script
provided by my ISP. I really don't know a lot about PHP and it's syntax
etc.
The feedback form only has 4...
|
by: mantrid |
last post by:
Up to the other day I have not bothered protecting my php script on my
feedback form against email injection. Howerver, i have had a spammer using
it to insert email addresses as cc: bc: into my...
|
by: Malli mindwave |
last post by:
Hi,
We are using the yahoowebHostiing service for my company website, In
that one screen of the SendComments/FeedBack section is there, I'm
basically dot.net develeoper ,but yahoowebhosting not...
| |
by: runway27 |
last post by:
i have implemented a way to avoid sql injection from the php website from this url
http://in.php.net/mysql_real_escape_string from the "Example #3 A "Best Practice" query" section of this page
...
|
by: r_ahimsa_m |
last post by:
Hello,
I am learning PHP5 and www technologies.
I would like to send email from .php script. The email will contain HTML
with images (BMP, GIF, JPEG) and movies (MPEG) included.
I have a...
|
by: RJ_32 |
last post by:
looking here:
http://www.devarticles.com/c/a/PHP/Getting-Intimate-With-PHPs-Mail-Function/2/
it says that I have to be careful about what I send to the sendmail process
via popen(). Does that...
|
by: Jeff |
last post by:
I'm writing my php "form mail" script.
Does mail do any checking for header injection in the "to" and
"subject" parameters? CR and/or LF? It seems to me it easily could and
should, but does it?...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
| |
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development projectplanning, coding, testing,...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated ...
| |
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |