Hello Miguel,
You're right - I probably am checking more than I need to but I figured
it didn't hurt to check those inputs and I was trying to make sure I
wasn't missing anything. Here is a copy of the message from the
bounceback that I got from the server. To me, it looks like a
successful injection attempt.
Return-Path: <an*******@arthur.website.com>
Received: (qmail 13669 invoked by uid 48); 5 Aug 2006 09:20:32 -0400
Date: 5 Aug 2006 09:20:32 -0400
Message-ID: <20************************@arthur.website.com>
To:
in**@website.com
Subject: Inquiry from website Web site:
From:
to@arthur.website.com
Content-Transfer-Encoding: 8bit
Content-Type: text/plain
Subject: for the content of
in violation of applicable laws.
c38c84c3c20b7d288cf34180343fc74f
..
<eg***********@website.com>
userName: to
Content-Transfer-Encoding: 8bit
Content-Type: text/plain
Subject: for the content of
bcc:
bu*******@aol.com
in violation of applicable laws.
---------------------------------------------------
The email message also contained this error:
Hi. This is the qmail-send program at arthur.integrastrategic.com.
I'm afraid I wasn't able to deliver your message to the following
addresses.
This is a permanent error; I've given up. Sorry it didn't work out.
<bu*******@aol.com>:
64.12.138.152 failed after I sent the message.
Remote host said: 554-: (RLY:CS4)
http://postmaster.info.aol.com/errors/554rlycs4.html
554 TRANSACTION FAILED
--------------------------------------------
Does this look like a successful injection into the From field? I check
both the email address and name for an injection attempt. Then I create
the email like this:
// Send the email
$subject = "Inquiry from Web site: $_POST[topic]";
if (strlen($_POST[userName]) 0) {
$message .= "Name: $_POST[userName]\n";
} // end of if
if (strlen($_POST[address]) 0) {
$message .= "Address: $_POST[address]\n";
} // end of if
if (strlen($_POST[address2]) 0) {
$message .= "Address 2: $_POST[address2]\n";
} // end of if
if (strlen($_POST[city]) 0) {
$message .= "Name: $_POST[city]\n";
} // end of if
if (strlen($_POST[state]) 0) {
$message .= "State: $_POST[state]\n";
} // end of if
if (strlen($_POST[zip]) 0) {
$message .= "Zip: $_POST[zip]\n";
} // end of if
if (strlen($_POST[phone]) 0) {
$message .= "Phone: $_POST[phone]\n\n";
} // end of if
if (strlen($_POST[comments]) 0) {
$message .= "Comments: ".str_replace("\r", "",
$_POST[comments])."\n";
} // end of if
if (strlen($_POST[email]) 0) {
$from = "$_POST[userName] <$_POST[email]>";
} // end of if
else {
$from = "Website <in**@website.com>";
} // end of else
$message = stripslashes($message);
mail ("in**@website.com", $subject, $message, "From: ".$from);
So, the from is created via the userName and email variables which are
checked with the injection check. Can anyone see a flaw that would
allow someone to create an email like the one that bounced back?
Thanks so much for your help. I really appreciate the input so far.
Sincerely,
Scott
Miguel Cruz wrote:
st******@integrastrategic.com wrote:
One problem that I had been having is stopping email injections on
contact forms. I did some research, read up on it and felt like I had
created a working solution. I hadn't gotten any suspicious bouncebacks
in quite some time and got many custom alerts I had set up for
notifying me of injection attempts. However, just the other day, I got
a bounceback from an AOL address which leads me to believe that an
injection attempt was successful. I was hoping that someone here could
help me out.
Here is the code that I am using to check for injections:
function containsInjectionAttempt($input) {
if (eregi("\r", $input) ||
eregi("\n", $input) ||
eregi("%0a", $input) ||
eregi("%0d", $input) ||
eregi("Content-Type:", $input) ||
eregi("bcc:", $input) ||
eregi("to:", $input) ||
eregi("cc:", $input)) {
return true;
} // end of if
else {
return false;
} // end of else
} // end of containsInjectionAttempt function
// Check for injection attempts
if (containsInjectionAttempt($_POST['userName']) ||
containsInjectionAttempt($_POST['address']) ||
containsInjectionAttempt($_POST['address2'])
|| containsInjectionAttempt($_POST['city']) ||
containsInjectionAttempt($_POST['zip']) ||
containsInjectionAttempt($_POST['phone'])
|| containsInjectionAttempt($_POST['email'])) {
// There has been an injection attempt
while (list($key, $value) = each($_POST)) {
$message .= $key.": ".$value."\n";
} // end of while
mail ("me@test.com", "Injection attempt on Web Site", $message,
"From: in**@website.com");
$mailSuccess = 1;
} // end of if
Then, if the mailSuccess variable is set to 1, it sends out the email.
There is also a comments textarea that I do not run through the
injection check. It is my (possibly incorrect?) understanding that
anything going into the message body does not need to be checked for an
injection attempt since it should not be able to affect the headers. A
problem with checking a textarea against the injection check would be
that it would mark most legitimate messages as injections since it
looks for \r and \n. At least this is my understanding.
It looks to me like you are checking a bunch of stuff you don't need to
- do any of userName, address, address2, city, zip, phone, or email end
up in the headers of the message you send out? I would assume they all
end up in the body.
What you need to look at would be the stuff that does go into the
headers - a likely suspect would be anything used to build the Subject.
If you build a "From:" header from the userName or email values then you
do need to check those.
miguel
--
Photos from 40 countries on 5 continents: http://travel.u.nu
Latest photos: Malaysia; Thailand; Singapore; Spain; Morocco
Airports of the world: http://airport.u.nu