Security ISSUE

mrbingo

If anybody could help me with this I would be really grateful.
I run a website in PHP.
Aware of the problems with mail() function I filter all strings passed through my messages to prevent being used for spamming.
Problem is somebody has found a way past my code and is merrily hijacking my formmail several dozen times a day.
The code is quite long but fairly straight forward:
Here it is

@extract($_POST);
$name = stripslashes($name);
$email = stripslashes($email);
$subject = stripslashes($subject);
$message = stripslashes($message);
$permission = stripslashes($join_mail);
$valid = true;
$dodgy_strings = array(
"content-type:"
,"mime-version:"
,"multipart/mixed"
,"bcc:"
);

function is_valid_email($email) {
return preg_match('#^{[a-z0-9.!#$%&\'*+-/=?^{_`{|}~]+@([0-9.]+|([^{\s]+.+[a-z]{2,6}))$#si',}}} $email);
}

function contains_bad_str($str_to_test) {
$bad_strings = array(
"content-type:"
,"mime-version:"
,"multipart/mixed"
,"Content-Transfer-Encoding:"
,"bcc:"
,"cc:"
,"to:"
);

foreach($bad_strings as $bad_string) {
if(eregi($bad_string, strtolower($str_to_test))) {
echo "Suspected injection attempt - mail not being sent.";
die( );
exit;
}
}
}

contains_bad_str($email);
contains_bad_str($subject);
contains_bad_str($message);

contains_newlines($email);
contains_newlines($subject);
contains_newlines($message);

if (! is_valid_email($email) ) {
echo "Invalid email submitted - mail not being sent. ";
$valid = false;
}
if($valid){
$to = "me@mywebsite.co.uk";

$headers = "From: $email";
echo "Thank you! your message has been received and will be dealt with as soon as possible.";
mail($to, $subject, $message, $headers);

I have attempted to replicate all mail injection methods I know but when I try of course the script stops me.
The email gets checked twice and I suspect the problem lies in the message field but I can't see where.
I really don't want to be part of this spamming but really need to have form mail can anyone help??

etully

Since you don't know exactly how they are exploiting your code, you need to figure that out first. Add some code at the top of your script that writes all of the posted variables to a text file. Be sure to do it at the top of your code, before you make any changes to their data. Then examine the text file to see precisely what they are posting. Once you know how they are doing it, then you'll be able to filter that out.

mrbingo

God that's really obvious! I can't believe I didn't think of that! I'll put this into effect straight away.
Hopefully it will reveal something.
May thanks.

Roger_Ramjet

One other thing, are you sure that the emails are not just spoofing your email addy and not actually being sent from your server?

mrbingo

😕 😕 It's definately not simple mail impersonation. I know this because the emails are coming through two similar pages that each go to different addresses. Besides I dumped the post vars to a text file :
Here's what it looks like ;
START

Name: to1359@somewhere.co.uk
Email: serem9960@somewhere.co.uk
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html
Subject: birthday, but before they must
bcc: minivinnie@livingwellidc.com

od in that the saying ath, to the pieceive boundream call ye men, thy not

68d248ae9f4dd07d68d22aa6418ba723
.

Subject: to1359@somewhere.co.uk
Message: to1359@somewhere.co.uk

END

You understand that I replaced my domain in this example with 'somewhere' to hide though I don't know why I bother. You can see that the injection takes place in the email field. This is weird because the regular expression checker should have dumped it right off.
The odd thing is that I altered the form to contain the values listed to see if I could repeat the security breach and guess what? The filter blocked it first time.
I am left scratching my head what to do.😕

etully

There is something different about the way you are testing than the way the spammer is exploiting. I suspect it has something to do with linebreaks. \n and \r

Your regexp is matching your test because you wrote the regexp based on the way you'd do the exploit. It can be hard to make it match the way the spammer is passing the data because they are doing it differently than you would. Dumping to a text file is good but it can be hard to see what they are doing with invisible characters like linebreaks. You might re-write your regexp so that it looks for a shorter string or an easier string to match. Maybe just look for "Content-Type" or something like that? It'll be a good start anyway.

mrbingo

you might be right but if you check out my
contains_bad_str function you will see that it checks for for content type and a few other strings using the eregi function

function contains_bad_str($str_to_test) {
$bad_strings = array(
"content-type:"
,"mime-version:"
,"multipart/mixed"
,"Content-Transfer-Encoding:"
,"bcc:"
,"cc:"
,"to:"
);

foreach($bad_strings as $bad_string) {
if(eregi($bad_string, strtolower($str_to_test))) {
echo "Suspected injection attempt - mail not being sent.";
die( );
exit;
}

This is what you are suggesting I do isn't it?
Anyway I've thrown the towel in. I've swallowed my pride and decided to use a thrid party class called phpmailer which has built in security. Time will tell whether the spammer can get past that...
Thanks for all your help though.🙂