Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 12 of 12
  1. #1
    Regular Coder
    Join Date
    Apr 2003
    Location
    Montreal, QC
    Posts
    340
    Thanks
    3
    Thanked 2 Times in 2 Posts

    Wierd Form Input

    Hello,

    On my site I have a form to send E-mail to me. Also, it can add you to my mailing list.

    Recently I have been getting wierd stuff from it, for example:

    Code:
    e7a17bfa92b1bcc0af48a333b3c59d6
    .
    
    X-Mailer: PHP/4.3.11
    
    From:  roof5473@the-ballet.com roof5473@the-ballet.com  ( days
    Content-Type: text/plain; charset="us-ascii"
    MIME-Version: 1.0
    Content-Transfer-Encoding: 7bit
    Subject: tree boughs, the swings fly
    bcc: charleses3229@aol.com
    
    9e7a17bfa92b1bcc0af48a333b3c59d6
    .
     )
    
    roof5473@the-ballet.com
    I'm not sure if someone's trying to put HTML into the form or if they're trying to hack the database. Anyone have any ideas?

    Also, can someone point me in the direction of a script or instructions on how to prevent this?
    Search for Laughter or Just Search?
    GiggleSearch.org
    Blog: www.johnbeales.com
    All About Ballet: www.the-ballet.com

  • #2
    Regular Coder Element's Avatar
    Join Date
    Jul 2004
    Location
    Lynnwood, Washington, US
    Posts
    855
    Thanks
    2
    Thanked 2 Times in 2 Posts
    I've had them before as well, I think it might just be bots crawling yoour site and trying to spam away.

  • #3
    Super Moderator
    Join Date
    May 2002
    Location
    Perth Australia
    Posts
    4,058
    Thanks
    10
    Thanked 96 Times in 94 Posts
    someone is probably using your form to send spam ... google for `header injection` for more info & workarounds
    resistance is...

    MVC is the current buzz in web application architectures. It comes from event-driven desktop application design and doesn't fit into web application design very well. But luckily nobody really knows what MVC means, so we can call our presentation layer separation mechanism MVC and move on. (Rasmus Lerdorf)

  • #4
    Regular Coder
    Join Date
    Apr 2003
    Location
    Montreal, QC
    Posts
    340
    Thanks
    3
    Thanked 2 Times in 2 Posts
    Thanks,

    I'm googling now. I'll post a solution if I find one.
    Search for Laughter or Just Search?
    GiggleSearch.org
    Blog: www.johnbeales.com
    All About Ballet: www.the-ballet.com

  • #5
    Regular Coder
    Join Date
    Apr 2003
    Location
    Montreal, QC
    Posts
    340
    Thanks
    3
    Thanked 2 Times in 2 Posts

    The Solution....

    So, I found a great resource that explains header injection and how to start fixing it:http://securephp.damonkohler.com/ind...mail_Injection

    I also found another page where the guy actually automatically blocks IP's that attempt to perform header injection on his form:http://randomfoo.net/blog/id/4014
    Notice how he uses a different method of recognizing the attack.

    I believe that by combining advice from the two pages a lot can be done. I have taken action and will see how well it works.

    John
    Search for Laughter or Just Search?
    GiggleSearch.org
    Blog: www.johnbeales.com
    All About Ballet: www.the-ballet.com

  • #6
    Super Moderator
    Join Date
    May 2002
    Location
    Perth Australia
    Posts
    4,058
    Thanks
    10
    Thanked 96 Times in 94 Posts
    cool, I just today found out an old form of mine was being targeted via header injection luckily I receive a copy of all mails for that form so I found out pretty quick ... a bit emarrassing though ... guess I better go check all the other forms I made before I started to consider these types of attack.

    Spammers ...
    may the fleas of a thousand Camels infest thier ********
    resistance is...

    MVC is the current buzz in web application architectures. It comes from event-driven desktop application design and doesn't fit into web application design very well. But luckily nobody really knows what MVC means, so we can call our presentation layer separation mechanism MVC and move on. (Rasmus Lerdorf)

  • #7
    New Coder
    Join Date
    Sep 2005
    Posts
    36
    Thanks
    0
    Thanked 0 Times in 0 Posts
    You might also be interested in the following links:
    http://www.nyphp.org/phundamentals/e..._injection.php
    http://www.anders.com/projects/sysad...PostHijacking/
    http://blogs.apress.com/archives/000633.html

    Also, in the most recent php architect Chris Shiflett writes about the problem.

    it's a serious problem because these bots try (and can succeed) in sending hundreds or thousands of spam mails from your domain. You even risk being banned by your host or other parties for sending the spam.

    There are many solutions out there but they all basicly are: filter your input well. make sure the data you process is the kind you want and in this case prevent any newlines from being injected in the headers of the mail() function.

    The best solution in my opinion is to place normal input validation specific to each form field in your script (like checking for alpha-numeric usernames, numeric telephone numbers, valid emailaddresspattern with a solid regex, etc) and then on top of that you can use a very easy to use php function as a defense in depth measure: ctype_print(). Like the example Chris gives:
    PHP Code:
    <?php
    $clean 
    = array();
    $email_pattern /^[^@s<&>]+@([-a-z0-9]+.)+[a-z]{2,}$/i’;
    if (
    preg_match($email_pattern$_POST[‘email’]))
    {
    $clean[‘email’] = $_POST[‘email’];
    }


    if (
    ctype_print($clean[‘email’])) {
      
    // email does not contain newlines or carriage returns.
    }
    ?>
    Of course, you can replace the email pattern with your own/ some other.
    I think that's a better solution then trying to block IP's (which aren't that reliable)

  • #8
    Regular Coder
    Join Date
    Apr 2003
    Location
    Montreal, QC
    Posts
    340
    Thanks
    3
    Thanked 2 Times in 2 Posts
    So, I have been keeping track of the injection attempts on my script. Is there someone I can report this to? Like a law enforcement agency or something? My script is no longer sending spam but someone's trying to, and it's using my server resources.

    Also, can someone point me to a page about preventing similar style attacks on my database? ie. I don't want anyone entering 'DROP DATABASE' or something similar into a field that would usually be used to add a record to the database.

    Would simply doing a search for semicolons and killing the script if they're found, (like I have done for new lines to prevent header injection), be sufficient?

    John
    Search for Laughter or Just Search?
    GiggleSearch.org
    Blog: www.johnbeales.com
    All About Ballet: www.the-ballet.com

  • #9
    Regular Coder goughy000's Avatar
    Join Date
    Nov 2005
    Location
    England
    Posts
    415
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Is there someone I can report this to? Like a law enforcement agency or something?
    See if you can find the IPs of people/bots trying to use your form. Also any other data possible that might help track down, e.g time, date, etc etc

    Then do an IP lookup and you should be able to find an abuse email for the ISP, get in touch with them.

    Supplying any evidence and the data I suggested should help

  • #10
    Regular Coder
    Join Date
    Apr 2003
    Location
    Montreal, QC
    Posts
    340
    Thanks
    3
    Thanked 2 Times in 2 Posts
    I've got IP's, so I'll see what I can do.
    Search for Laughter or Just Search?
    GiggleSearch.org
    Blog: www.johnbeales.com
    All About Ballet: www.the-ballet.com

  • #11
    Super Moderator
    Join Date
    May 2002
    Location
    Perth Australia
    Posts
    4,058
    Thanks
    10
    Thanked 96 Times in 94 Posts
    Would simply doing a search for semicolons and killing the script if they're found, (like I have done for new lines to prevent header injection), be sufficient?
    problem is that there are often semicolons in legitimate input as well...
    that said if you are using MySQL then the common semicolon attack will not work since MySQL does not do chained queries in the same way that SQLserver etc do so this wont work in mysql (v3 & v4 , unsure about v5)

    /page.php&id=1;drop%20table%20users
    ....
    mysql_query("SELECT * FROM users WHERE id={$_GET['id']}");

    So with the above & using MySQL anything after the semicolon is ignored.
    in SQL server if the syntax is correct its possible that the second statement will work.

    Ideally above you would either check that $_GET['id'] is an int (since thats what you are expecting) and exit if a string is passed , or cast to an int() which makes the query safe but might upset your query.

    However , its still possible to inject into the above query ...

    /page.php&id=0%20OR%20user%20>0
    ....
    mysql_query("SELECT * FROM users WHERE id={$_GET['id']}");

    MySQL allows you to wrap integers in single quotes WHERE id='{$_GET['id']}'
    this in itself makes your query safer, so whilst its mysql specific , use it ! ... but note that without addslashes/mysql_real_escape_string/magic_quotes etc going on its still vunerable.
    resistance is...

    MVC is the current buzz in web application architectures. It comes from event-driven desktop application design and doesn't fit into web application design very well. But luckily nobody really knows what MVC means, so we can call our presentation layer separation mechanism MVC and move on. (Rasmus Lerdorf)

  • #12
    Regular Coder
    Join Date
    Apr 2003
    Location
    Montreal, QC
    Posts
    340
    Thanks
    3
    Thanked 2 Times in 2 Posts
    Hmmm. I think I'll be ok then - I use addslashes pretty much everywhere, although I should check it.
    Search for Laughter or Just Search?
    GiggleSearch.org
    Blog: www.johnbeales.com
    All About Ballet: www.the-ballet.com


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •