Problem with php mail script being hijacked

noimad1

I have a simple php mail script that I use to send out mail based on a form that someone fills out on my site. However, someone has gotten that form, and is posting their own data from their own location, and sending out spam.

I'm sure there is a way to prevent this? Anyone have any ideas?

bpat1434

You could chekc the referrer, or add a hidden field in your form...

~Brett

_theworks

Visual authentication... like dynamicly create a image with a random string in it...
you see examples of this on alot of websites...

noimad1

_theworks wrote:
Visual authentication... like dynamicly create a image with a random string in it...
you see examples of this on alot of websites...

Now that sounds interesting. How do you go about doing that? And if you randomly generate a string, how do you verify that is the correct string on the flip side?

bpat1434

Well... here's one way...

verify.php

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
    "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>
  <title></title>
</head>

<body>
<?php

include_once('random_image.php');

if(isset($_POST) && !empty($_POST))
{
	$passcode = $_POST['passcode'];
	$usrinput = md5($_POST['usrinput']);

if($passcode == $usrinput)
{
	echo 'Perfect!!  Verified!!';
}
else
{
	echo 'Not Verified!!';
}

echo '<hr />';
}
?>
<form action="<?php $_SERVER['PHP_SELF']; ?>" method="POST">
<img src="random.png" alt="Random Image" /><br />
Text: <input type="password" name="usrinput" />
<input type="hidden" name="passcode" value="<?php echo md5($string); ?>" /><br />
<input type="submit" value="Verify!!" />
</form>
</body>

</html>

random_image.php

<?php
$fontroot = 'C:\WINDOWS\Fonts\\';
$fonts = array('GARA.TTF', 
		 'COPRGTB.TTF',
		 'comicbd.TTF',
		 'PAPYRUS.TTF');

$string = date('Md', mktime(0,0,0, rand(1,12), rand(0,60),0));
$im = ImageCreate(250, 75);

$background = ImageColorAllocate($im, 255, 255, 255);

for($i=1; $i<11; $i++)
{
	$r = rand(0,244);
	$g = rand(0,244);
	$b = rand(0,244);

$color[] = ImageColorAllocate($im, $r, $g, $b);
}

ImageFill($im, 0, 0, $background);

for($i=0; $i<strlen($string); $i++)
{
	//ImageString($im, rand(20,50), ($i*20)+15, rand(25,40), $string{"$i"}, $color[rand(0,9)]);
	imagettftext($im, rand(12, 20), rand(25, -25), ($i*25)+45, rand(20,50), $color[rand(0,9)], $fontroot.$fonts[rand(0,3)], $string{"$i"});
}

//header('Content-Type: image/png');
ImagePNG($im, 'random.png');
ImageDestroy($im);

?>

That script will generate a random date, and put it in the image. Each letter will be a different color, different height, and different position, but still readable. It also randomizes the fonts (3 to choose from) and the font-size. If the image doesn't come out, try switching the commented function for the one that is there.

Basically, we encode the string in a hidden field. Then, on the other side, we double md5() the user input "password" and md5() once the hidden field value. Then, if they decide to take the value from the hidden field and input it into the text area, it won't work because that will be md5()ed 3 times, not twice and they will never match.

Now, it's not full proof, but it gets what you want.

~Brett

noimad1

bpat1434 wrote:
You could chekc the referrer, or add a hidden field in your form...

~Brett

Brett,

Thanks for the info on the visual confirmation. I would like to do this the easiest way possible since it is happening to many of my users scripts. Maybe checking the referrer would be easier. I'm sure that is pretty easy to get. Would you mind giving me the code to get the referrer? I tried to search the manual, but couldn't find anything on it?

bpat1434

the referer is in the $_SERVER global array...

$_SERVER['HTTP_REFERER']

However, the visual confirmation would work MUCH better since you can manually set the referer via PHP header().

~Brett

noimad1

bpat1434 wrote:
the referer is in the $_SERVER global array...

$_SERVER['HTTP_REFERER']

However, the visual confirmation would work MUCH better since you can manually set the referer via PHP header().

~Brett

Ah, I see. Ok, I'm testing out the image verifcation now. Was that written for a windows machine? What do I do for the fonts section if I am on a linux machine?

bpat1434

Yes it was written for a windows machine.

Just point the "$fontroot" to the font root of the Linux machine, or the path from the docroot to a folder with holding fonts for it.

$fontroot = $_SERVER['DOCUMENT_ROOT'].'/my/app/fonts/';
$fonts = array('fontname.ttf');

~Brett

noimad1

bpat1434 wrote:
Yes it was written for a windows machine.

Just point the "$fontroot" to the font root of the Linux machine, or the path from the docroot to a folder with holding fonts for it.

$fontroot = $_SERVER['DOCUMENT_ROOT'].'/my/app/fonts/';
$fonts = array('fontname.ttf');

~Brett

Perfect, works great!

bpat1434

great!!

fascom746

I also have a form please help me in configuring the above verfication code. so that after code verification confirmation email send out my code is

//==================send confirmation mail================
		$sb_null_char=$config["sb_null_char"];
		$signup_url=$config["sb_site_root"]."/addmember.php?rnum=$rnum&email=".$_REQUEST["email"];
		$sql = "SELECT * FROM b2b_mails where sb_mailid=22" ;
		$rs_query=mysql_query($sql);

	if ( $rs=mysql_fetch_array($rs_query)  )
	  	{
				 $from =$rs["sb_fromid"];

				 $to = $_REQUEST["email"];

				 $subject =$rs["sb_subject"];

				 $header="From:" . $from . "\r\n" ."Reply-To:". $from  ;

				 $body=str_replace("%email%", $_REQUEST["email"],str_replace("%password%",$sb_null_char,str_replace("%lname%", $sb_null_char,str_replace("%fname%", $sb_null_char,str_replace("%username%", $sb_null_char, $rs["sb_mail"]) )))); 
				$body=str_replace("%signup_url%",$signup_url,str_replace("%login_url%",$sb_null_char,$body));

			 	if(isset($rs["sb_html_format"])&&($rs["sb_html_format"]=="yes"))
				{
					$header .= "MIME-Version: 1.0\r\n";
					$header .= "Content-type: text/html; charset=iso-8859-1\r\n";
		//			$body=str_replace("\n","%br%",$body);
				}

//echo "--from:-$from----to:-$to---sub:-$subject----head:-$header----";
//echo "<pre>$body</pre>";
//die();

			if( $rs["sb_status"]=='yes')
 				mail($to,$subject,$body,$header);

		}

blackhorse

You need do the email validation check on the $_REQUEST['email'].

Search the forum or Internet, there were enough threads talking about email header injection attacks. Although the attacks are on the email headers part, mostly by play with email from field, and they get their list insert as cc or bcc. But you use the $_REQUEST['email'] in the emailto not emailfrom

But there is still some tricks they can play with the emailto: field.