a friend of mine hired a sketchy dude who turned out to be not just inept but possibly criminal. this guy created a custom 404 page that prompts the user for a little more info about the problem. today, the webmaster at his firm started getting thousands of emails referencing a brazillian transexual porn site (tasty!).
i can see some issues with the code but am wondering just how bad this might be from a security standpoint.
Here's the 404 page that prompts for more info. It seems like a really bad idea to me to have the entire contents of $_SERVER echoed into your form.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<?
session_name('myfriendsupport');
session_start();
if ($_SESSION['user']!='') {
include "secure_site/functions/db.php";
include "secure_site/functions/logging.php";
logActivity("Invalid Page",$cid);
}
?>
<title>Page Not Found</title>
</head>
<body style="margin: 0">
<table width="100%" border="0" cellpadding="0" cellspacing="0" style="height: 69px">
<tr>
<td height="50" align="center" style="background-image:url(/images/head_bg.gif)">
<table width="750" border="0" cellspacing="0" cellpadding="0">
<tr>
<td><a href="http://www.myfriendsdomain.com"><img src="/images/myfriend_header_logo.gif" width="200" height="50" border="0"></a></td>
</tr>
</table>
</td>
</tr>
</table>
<center>
<p>Sorry, the page you are attempting to access does not exist or could not be found.<br><br>
If you wish, you may fill out the requested information and click the button below to submit a report to the webmaster.</p>
<?php
$err_file = $_SERVER['DOCUMENT_ROOT'] . $_SERVER['REQUEST_URI'];
?>
<form name="sub" action="http://www.myfriendsdomain.com/notfound_report.php" method="POST">
<input type="hidden" name="attempt" value="<?php echo $err_file; ?>" />
<input type="hidden" name="serverinfo" value="<? print_r($_SERVER); ?>" />
Please give us a little more information such as the page you were attempting<br>
to access or the location of the broken link:<br><br>
<center><textarea name="moreinfo" rows="10" cols="60"></textarea></center> <br><br>
Please give us your email address in case we need more information:<br><br>
<input type="text" name="email" size="40" >
<input type="submit" name="submit" value="Submit Report" />
</form>
</center>
</body>
</html>
Then there is the form that handles the submission. I'm still trying to figure out where 'security_code' might get set into $SESSION and also into $POST but no luck yet. It would appear that it is in fact being done, however, because emails do get sent from this page:
<?php
if ($_SERVER['REQUEST_METHOD'] == "POST") {
session_name('myfriendsupport');
session_start();
if(($_SESSION['security_code'] == $_POST['security_code']) && (!empty($_SESSION['security_code'])) ) {
// Insert you code for processing the form here
$_SESSION['security_code'] = '';
$_POST['security_code'] = '';
$page = $_POST['attempt'];
$moreinfno = $_POST['moreinfo'];
$email = $_POST['email'];
$server_stuff = $_POST['serverinfo'];
if ($page != '' && $server_stuff != '') {
ini_set("SMTP", "smtp.myfriend.com");
$message = "A user has submitted a Page Not Found error report to you.
The page they were attempting to access is:
$page
More Info:
$moreinfo
Email:
$email
Please look into this matter promptly.
Thank you,
Your Trusty Web Server
Additional Server Information:
$server_stuff";
mail("webmaster@myfriend.com", "Page Not Found Error Report", $message, "From: webmaster@myfriend.com");
}
?>
<html>
<head>
<title>myfriend Widget Systems, Inc.</title>
</head>
<body leftmargin="0" topmargin="0" marginwidth="0" marginheight="0">
<table width="100%" height="69" border="0" cellpadding="0" cellspacing="0">
<tr>
<td height="50" align="center" background="../images/head_bg.gif">\
<table width="750" border="0" cellspacing="0" cellpadding="0">
<tr>
<td><a href="http://www.myfriendsdomain.com"><img src="../images/myfriend_header_logo.gif" width="200" height="50" border="0"></a></td>
</tr>
</table>
</td>
</tr>
<tr>
<td height="19" background="../images/nav_bg.gif"> </td>
</tr>
</table>
<br>
<p align="center">Thank you, your report has been submitted.</p>
<p align="center">You may <a href="http://www.myfriendsdomain.com/">click here</a> to return to the main myfriend Widget, Inc. web site.</p>
</body>
</html>
<?
} else {
?>
<html>
<head>
<title>myfriend Widget Systems, Inc.</title>
</head>
<body leftmargin="0" topmargin="0" marginwidth="0" marginheight="0">
<table width="100%" height="69" border="0" cellpadding="0" cellspacing="0">
<tr>
<td height="50" align="center" background="../images/head_bg.gif">
<table width="750" border="0" cellspacing="0" cellpadding="0">
<tr>
<td><a href="http://www.myfriendsdomain.com"><img src="../images/myfriend_header_logo.gif" width="200" height="50" border="0"></a></td>
</tr>
</table>
</td>
</tr>
</table>
<br>
<p align="center">Sorry, you have provided an invalid security code.</p>
<p align="center"><input type="button" value="Go Back" onclick=history.go(-1)></p>
</body>
</html>
<?
exit(0);
}
} else {
header("Location: http://www.myfriendsdomain.com");
exit(0);
}
?>
Here is an example of the email being sent by the form handler:
From: mfwebmaster@myfriend.com
Date: December 28, 2006 12:30:21 PM CST
To: mfwebmaster@myfriend.com
Subject: Page Not Found Error Report
X-Ninja-Pim: Scanned by Ninja
X-Ninja-Attachmentfiltering: (no action)
Received: from mailca.myfriend.com ([111.111.111.12]) by foo-exch1.myfriend.com with Microsoft SMmfVC(6.0.3790.1830); Thu, 28 Dec 2006 10:30:30 -0800
Received: from mf-liv-sv3 ([111.111.1112.192]) by mailca.myfriend.com with Microsoft SMmfVC(6.0.3790.1830); Thu, 28 Dec 2006 10:30:30 -0800
Return-Path: mfwebmaster@myfriend.com
Message-Id: <foo-OWAjmMPqngL00000b3f@mailca.myfriend.com>
X-Originalarrivaltime: 28 Dec 2006 18:30:30.0134 (UTC) FILETIME=[40B09960:01C72AAE]
A user has submitted a Page Not Found error report to you.
The page they were attempting to access is:
E:/cmsapp/sitehttp://www.brazilian-transsexuals.com/members/amembers.html
More Info:
Email:
DELAGO
Please look into this matter promptly.
Thank you,
Your Trusty Web Server
Additional Server Information:
Array
We obviously took the form and its handler down, but before doing so I visited the form (first code snip above) and noticed the $_SERVER values on display indicate a windows server with a lot of paths in the include path. does this represent a security risk? i've never seen that many include folders in the PATH var before:
<form name="sub" action="http://www.myfriendsdomain.com/notfound_report.php" method="POST">
<input type="hidden" name="attempt" value="E:/cmsapp/site/nonexistent_page.foo" />
<input type="hidden" name="serverinfo" value="Array
(
[HTTP_ACCEPT] => */*
[HTTP_ACCEPT_LANGUAGE] => en-us
[HTTP_UA_CPU] => x86
[HTTP_ACCEPT_ENCODING] => gzip, deflate
[HTTP_USER_AGENT] => Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)
[HTTP_HOST] => www.myfriendsdomain.com
[HTTP_CONNECTION] => Keep-Alive
[HTTP_COOKIE] => config=82441d87e406d787c27e3c2ccf3bf053; myfriendsupport=465e47d890b5ab8e6c93dd9ad2b19127
[PATH] => c:\program files\imagemagick-6.2.9-q16;C;\Windows\System32;C:\Windows\system32\WBEm;C:\Program Files\Dell\OpenManage\oma\bin;C:\Program Files\Dell\OpenManage\LU\bin;C:\Program Files\Dell\OpenManage\oldiags\bin;C:\Program Files\Dell\OpenManage\OMSA\bin;C:\Program Files\Dell\OpenManage\RAC\MN;C:\Program Files\Dell\OpenManage\Array Manager;e:\PHP;E:\amp\MySQL\MySQL Server 4.1\bin;C:\Program Files\OpenSSH\bin
[SystemRoot] => C:\WINDOWS
[COMSPEC] => C:\WINDOWS\system32\cmd.exe
[PATHEXT] => .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.VBS
[WINDIR] => C:\WINDOWS
[SERVER_SIGNATURE] => <address>Apache/2.0.54 (Win32) PHP/5.0.4 Server at www.myfriendsdomain.com Port 80</address>
[SERVER_SOFTWARE] => Apache/2.0.54 (Win32) PHP/5.0.4
[SERVER_NAME] => www.myfriendsdomain.com
[SERVER_ADDR] => 222.222.222.222
[SERVER_PORT] => 80
[REMOTE_HOST] => c-111-111-111-111.comcast.net
[REMOTE_ADDR] => 111.111.111.111
[DOCUMENT_ROOT] => E:/cmsapp/site
[SERVER_ADMIN] => sadams@myfriend.COM
[SCRIPT_FILENAME] => E:/cmsapp/site/notfound.php
[REMOTE_PORT] => 1519
[GATEWAY_INTERFACE] => CGI/1.1
[SERVER_PROTOCOL] => HTTP/1.1
[REQUEST_METHOD] => GET
[QUERY_STRING] =>
[REQUEST_URI] => /notfound.php
[SCRIPT_NAME] => /notfound.php
[PHP_SELF] => /notfound.php
[argv] => Array
(
)
[argc] => 0
)
" />
Please give us a little more information such as the page you were attempting<br>
to access or the location of the broken link:<br><br>
<center><textarea name="moreinfo" rows="10" cols="60"></textarea></center> <br><br>
Please give us your email address in case we need more information:<br><br>
<input type="text" name="email" size="40" >
<input type="submit" name="submit" value="Submit Report" />
</form>
