Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 13 of 13
  1. #1
    New Coder
    Join Date
    Jan 2007
    Posts
    10
    Thanks
    0
    Thanked 0 Times in 0 Posts

    HTML code (spam) in my form fields- Oh my!

    I need some help with this one. I've searched and searched but cannot find how to stop someone from sending code in my form fields.

    Right now it looks like spam: urls, links, text like viagra, generic cialis, etc. but what about malicious code? Is this a bigger problem than just spam?

    So I try slapping some JS validation to check for special characters such as // < > : | and it worked great at keeping me from submitting the form with these characters in the fields, but the creep is still getting through some how.

    So I thought - maybe he saved a copy of my page before I added the JS and was running it from his own location.... So I added a ID code to my form and check for it before processing the form data. If the ID code isn't with the incoming data my php script exits and saves no data. But the creep is still getting through....

    Anyone have some ideas.....?

  • #2
    Senior Coder CFMaBiSmAd's Avatar
    Join Date
    Oct 2006
    Location
    Denver, Colorado USA
    Posts
    2,958
    Thanks
    2
    Thanked 304 Times in 296 Posts
    The reason this is being done is that your form processing code probably allows mail(...) header injection so that the spam is actually being emailed to others as well.

    Anything you do in your form code with javascript or your ID code, is visible and can be undone. In fact, if a script (such as PHP using curl) is submitting to your form processing code, it could care less about any javascript you might have on your form web page.

    The first step would be to secure your form processing code to prevent spam from being sent through it. Each form field must be tested to insure that it only contains allowed contents and/or don't place any of the form fields into the mail(...) extra header field.

    For a public accessible form (one that anyone can fill in), the next step to avoid automated submissions would be to add a image verification code - CAPTCHA.
    If you are learning PHP, developing PHP code, or debugging PHP code, do yourself a favor and check your web server log for errors and/or turn on full PHP error reporting in php.ini or in a .htaccess file to get PHP to help you.

  • #3
    New Coder
    Join Date
    Jan 2007
    Posts
    10
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Wow, thanks. Let me make sure I understand -

    So using, say PHP, to validate form data server side instead of doing it with JS client side would be a better choice (more secure) and would avoid those with JS turned off - yes?

    You said:
    Each form field must be tested to insure that it only contains allowed contents
    I follow the first part, but you loose me at:
    and/or don't place any of the form fields into the mail(...) extra header field.
    Can you explain this? I use a form that post to a PHP file for saving the data, I do not know much about headers.

    Thank you,

  • #4
    Senior Coder CFMaBiSmAd's Avatar
    Join Date
    Oct 2006
    Location
    Denver, Colorado USA
    Posts
    2,958
    Thanks
    2
    Thanked 304 Times in 296 Posts
    If your form does not cause an email to be sent, you can disregard the references to mail(...) and header injection. It was just a guess as this is the most common abuse of a form to send spam and there was no specific information in your first post to guess otherwise.

    Depending on how the contents of your file gets used, they could be trying to use code injection instead, to cause their content to be displayed on your web site (edit: or to attempt to collect information from your visitors, such as login information or more seriously, credit card info, depending on what your site is) or to get their code to be saved to a file in such a way that they can call it to perform any action on your server that PHP is capable of.

    Since who ever is doing this seems persistent, they must be receiving some benefit from continuing to do it. If it is only getting saved to a file and only you see it, they would probably stop.
    Last edited by CFMaBiSmAd; 01-23-2007 at 03:22 AM.
    If you are learning PHP, developing PHP code, or debugging PHP code, do yourself a favor and check your web server log for errors and/or turn on full PHP error reporting in php.ini or in a .htaccess file to get PHP to help you.

  • #5
    New Coder
    Join Date
    Jan 2007
    Posts
    10
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Hum....

    Thank you so much for the info, what an eye openner.

    I do just collect basic info, name, email, and their request and save it to a txt file which gets emailed the next day as an attached txt file.

    This guy sends about 12 of these a day.... here is one -
    Really nice interesting site. thank you for it. <a href="http://people.colgate.edu/dsturges/_kbas/00000234.htm?discount-viagra">discount viagra</a> http://people.colgate.edu/dsturges/_...iscount-viagra discount viagra <a href="http://flingk.com/bk98yol">generic cialis</a> http://flingk.com/bk98yol generic cialis <a href="http://people.colgate.edu/dsturges/_kbas/0000021d.htm?buy-cialis">buy cialis</a> http://people.colgate.edu/dsturges/_...htm?buy-cialis buy cialis <a href="http://www.bneatar.com/boss/desc_gen2.htm?buy-cialis">buy cialis</a> http://www.bneatar.com/boss/desc_gen2.htm?buy-cialis buy cialis <a href="http://kisaweb.com/o5m">buy levitra</a> http://kisaweb.com/o5m buy levitra <a href="http://people.colgate.edu/dsturges/_kbas/0000021c.htm?generic-cialis">generic cialis</a> http://people.colgate.edu/dsturges/_...generic-cialis generic cialis Viagra Viagra <Street> <Street> Barcelona <State> <ZIP> Lebanon tammy@dailymail.com 811836224794
    I am concerned about this of what you mentioned:
    or to get their code to be saved to a file in such a way that they can call it to perform any action on your server that PHP is capable of.
    How can I protect myself from this every happening?

    Thank you so much,

  • #6
    Master Coder felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, Australia
    Posts
    6,454
    Thanks
    0
    Thanked 632 Times in 622 Posts
    The server side processing should validate all of the form fields passed to it to make sure that they contain acceptable values. This can be a combination of the server side equivalent of the javascript code you already added plus some more general conversions using the native functionality built into the server side language that will convert potentially malicious content into less harmful garbage (eg the PHP htmlentities function converts anything that could be treated as HTML into the text equivalent).
    Stephen
    Learn Modern JavaScript - http://javascriptexample.net/
    Helping others to solve their computer problem at http://www.felgall.com/

    Don't forget to start your JavaScript code with "use strict"; which makes it easier to find errors in your code.

  • #7
    Senior Coder
    Join Date
    Jun 2002
    Location
    The Netherlands, Baarn, Ut.
    Posts
    4,253
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Form protection

    The issue of form protection, email injection, etc. has been raised in here a while ago; that resulted among others in the following link to a post that contains a number of useful resources: Securing PHP forms. Perhaps this will provide you with some additional info on the topic.
    Regards,
    Ronald.
    ronaldvanderwijden.com

  • #8
    New Coder
    Join Date
    Jan 2007
    Posts
    10
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Thanks Ronald, Stephen and CFMaBiSmAd!

    This is a big help, I'm fixing up my forms....

    Where can I learn more (at a PHP basic level) about people sending exe code to my php files and then executing it?

    ~Jami
    Last edited by CurrentWave; 01-23-2007 at 04:29 PM. Reason: missed previous post

  • #9
    Senior Coder CFMaBiSmAd's Avatar
    Join Date
    Oct 2006
    Location
    Denver, Colorado USA
    Posts
    2,958
    Thanks
    2
    Thanked 304 Times in 296 Posts
    It is unlikely that a .exe file would be involved, however, a PHP script could execute operating system functions through an exec(...)/system(...) or similar function call.

    If the question in your last post is based on this -
    Depending on how the contents of your file gets used, they could be trying to use code injection instead, to cause their content to be displayed on your web site (edit: or to attempt to collect information from your visitors, such as login information or more seriously, credit card info, depending on what your site is) or to get their code to be saved to a file in such a way that they can call it to perform any action on your server that PHP is capable of.
    Don't overreact. My statement starts with a conditional statement - Depending on... and ends with a limitation - ...that PHP is capable of.

    As to your question, if (another conditional statement) your existing code allowed content from the form to contain PHP script and this gets written to a file, say one ending in .php and/or it gets written to a file with an arbitrary name (the file name gets passed as a hidden form field...), then it might be possible for someone to place PHP code into a file on your server that he could then browse to and execute. Another possibility, if (a conditional statement again) the file that gets written is then executed as code or a template (through the include(...) or eval(...) functions), then code that came through the form would then be executed on your server.
    If you are learning PHP, developing PHP code, or debugging PHP code, do yourself a favor and check your web server log for errors and/or turn on full PHP error reporting in php.ini or in a .htaccess file to get PHP to help you.

  • #10
    New Coder
    Join Date
    Jan 2007
    Posts
    10
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Not overacting/panicking yet thanks to the good explanations here.

    However, I know that things you don't understand have a way of making you vulnerable and I am very aware of my lack of knowledge in this area.

    Background:
    What I have set up so far is a simple html form, which sends one hidden value something like this:
    <input alt="form element" type="hidden" name="formtype" value="J">
    This posts to a php file.

    The php file (1) sends out a thank you email (autoresponder) (2) displays a Thank you in html, and (3) opens a text file, appends the data and closes the text file. File name example: catalog.txt

    I use a mime_mail.inc that I got off the Net, which I partly understand (lack of PHP knowledge showing) - here it is:

    PHP Code:
    <?php

    class mime_mail
    {
       var 
    $parts;
       var 
    $to;
       var 
    $from;
       var 
    $headers;
       var 
    $subject;
       var 
    $body;

       
    /*
        *     void mime_mail()
        *     class constructor
        */

       
    function mime_mail() {
          
    $this->parts = array();
          
    $this->to =  "";
          
    $this->from =  "";
          
    $this->subject =  "";
          
    $this->body =  "";
          
    $this->headers =  "";
       }

       
    /*
        *     void add_attachment(string message, [string name], [string ctype])
        *     Add an attachment to the mail object
        */

       
    function add_attachment($message$name =  ""$ctype "application/octet-stream") {
          
    $this->parts[] = array (
                
    "ctype" => $ctype,
                
    "message" => $message,
                
    "encode" => $encode,
                
    "name" => $name
                               
    );
       }

       
    /*
        *      void build_message(array part=
        *      Build message parts of an multipart mail
        */

       
    function build_message($part) {
          
    $message $part"message"];
          
    $message chunk_split(base64_encode($message));
          
    $encoding =  "base64";
          return  
    "Content-Type: ".$part"ctype"].
             (
    $part"name"]? "; name = \"".$part"name"].
             
    "\"" :  "").

             
    "\nContent-Transfer-Encoding: $encoding\n\n$message\n";
       }

       
    /*
        *      void build_multipart()
        *      Build a multipart mail
        */

       
    function build_multipart() {
          
    $boundary =  "b".md5(uniqid(time()));
          
    $multipart =
             
    "Content-Type: multipart/mixed; boundary = $boundary\n\nThis is a MIME encoded message.\n\n--$boundary";

             for(
    $i sizeof($this->parts)-1$i >= 0$i--)
          {
             
    $multipart .=  "\n".$this->build_message($this->parts[$i]).
                
    "--$boundary";
          }
          return 
    $multipart.=  "--\n";
       }

       
    /*
        *      string get_mail()
        *      returns the constructed mail
        */

       
    function get_mail($complete true) {
          
    $mime =  "";
          if (!empty(
    $this->from))
             
    $mime .=  "From: ".$this->from"\n";
          if (!empty(
    $this->headers))
             
    $mime .= $this->headers"\n";

          if (
    $complete) {
             if (!empty(
    $this->to)) {
                
    $mime .= "To: $this->to\n";
             }
             if (!empty(
    $this->subject)) {
                
    $mime .= "Subject: $this->subject\n";
             }
          }
          if (!empty(
    $this->body))
             
    $this->add_attachment($this->body,  "",  "text/plain");
          
    $mime .=  "MIME-Version: 1.0\n".$this->build_multipart();

          return 
    $mime;
       }

       
    /*
        *      void send()
        *      Send the mail (last class-function to be called)
        */

        
    function send() {
            
    $mime $this->get_mail(false);
            
    mail($this->to$this->subject"" $mime);
        }

    };  
    // end of class

    ?>
    I have 4 forms on the website saving data to their own text files, and emailing copies to me for back up. At midnight I run a crobjob which runs a php file that opens all these text files, appends their data to one master text file and emails it to the office, saves a backup on the server and then it cleans out all the text files so they are ready to start again for the next day.

    I followed the links and reading suggested by Ronald, but a lot of it is a bit over my head. I'm sure on my second read I'll pick up even more but its hard to read Greek! Or is that geek :-) Information that can't be digested is like eating wood.

    So far this guy is only spamming one of my forms. My forms collect name, address, email, sometimes radio selections and whatever they put in the comment text box. People request catalogs or other support materials with these forms.

    Sounds like - when (not a conditional statement)
    (1) I validate all my incoming data in my process.php file
    (2) deal with html tags using htmlentities function, and
    (3) check for incoming php code I should be a lot safer
    (a relative term now days I know). I still am lost when it comes to headers, and if my php emailing is giving away important info - Oh my, more geek reading for me.

    Thanks again, I really appreciate the education!
    Last edited by CurrentWave; 01-23-2007 at 06:57 PM. Reason: Typo's of course.

  • #11
    Senior Coder CFMaBiSmAd's Avatar
    Join Date
    Oct 2006
    Location
    Denver, Colorado USA
    Posts
    2,958
    Thanks
    2
    Thanked 304 Times in 296 Posts
    Your form does directly cause an email to be sent, the autoresponder. And in fact, the message is built in the $mime variable, which is then placed into the mail(...) function as the extra header. There is a very good chance that your form processing code is being used to send SPAM out through your mail server. The To: field can contain any number of To: email addresses and it can also close out any existing header, then add any other header it wants, such as CC:, BCC:, From:...
    If you are learning PHP, developing PHP code, or debugging PHP code, do yourself a favor and check your web server log for errors and/or turn on full PHP error reporting in php.ini or in a .htaccess file to get PHP to help you.

  • #12
    New Coder
    Join Date
    Jan 2007
    Posts
    10
    Thanks
    0
    Thanked 0 Times in 0 Posts
    So....

    It is (best practice) not to send out any email from the php that receives incoming form data - yes What is recommended instead?

    You lost me on the rest - except for the fact that I expected I was vulnerable and your confirming that, that much I am following.

    I read all about this from one of Ronald’s links - http://www.securephpwiki.com/index.php/Email_Injection
    Here I learned about multiple To, Bcc, Subject etc. being injected, and additional headers, but couldn't follow/understand enough to know how to fix it.

    I find more long detailed info on the problem than I do on a clear solution - Oy! This vulnerability in my code hurts the whole community....

    So I have this security problem - what do I do?

    Thanks,

    Jami

  • #13
    Senior Coder CFMaBiSmAd's Avatar
    Join Date
    Oct 2006
    Location
    Denver, Colorado USA
    Posts
    2,958
    Thanks
    2
    Thanked 304 Times in 296 Posts
    The most immediate thing I would do would be to disable/comment out the sending of the autoresponder email. You send them to a thankyou page anyway.

    Once you get the code secured, then either re-enable the autoresponder email, or send these manually for legitimate looking contacts.
    If you are learning PHP, developing PHP code, or debugging PHP code, do yourself a favor and check your web server log for errors and/or turn on full PHP error reporting in php.ini or in a .htaccess file to get PHP to help you.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •