PHP Email Injection

[mikesmith76]

Hi,

I am attempting to secure a PHP form from email injection, I think I have a working solution but am unable to test it since I'm not sure how to inject additional headers in the first place. I've read many tutorials about adding %0A for newlines then Bcc addresses etc but none of them work on my server.

I know this is probably asking someone for information that can be used by potential spammers, but has anybody found any information about successful injection attacks. This is solely for the purpose of testing my script, I am not some dirty hacker scum wanting to spam people. Most of this info is probably public knowledge anyway so one more posting wont make much difference.

Before anyone replies please don't suggest that I just use a secure version of formmail, this is not just about getting one application to work. I want to fully understand the threat so I can counter it

Thanks,
Mike

[mikesmith76]

No takers on this one???

I realise I am asking for information that could potentially be used to hack email scripts but if I can't test for a vunerability how can I be sure that my script is safe from attack?

Also my failure to reproduce an injection attack on my server should not be taken as a sign that my server is safe from attack. The original version of the form I am trying to secure (not written by myself) has already been misused by spammers, and we're not eager to see this happen again.

Thanks in advance

Mike

[speed]

Have a read of http://seo.anthonyparsons.com/forum/thread966.html it links out to explanations of how the attacks work and fixes for the problem, you should be able to find what you need there.

[mikesmith76]

Quote:

Have a read of http://seo.anthonyparsons.com/forum/thread966.html it links out to explanations of how the attacks work and fixes for the problem, you should be able to find what you need there.

Cheers you're a star, I was starting to think I was being ignored!!

Mike

[Keimos]

Hi mikesmith76,

Try NMSFormMail, http://nms-cgi.sourceforge.net/scripts.shtml, updated recently to exclude spammers.

It works and if you know PHP you can play.

If not you have feedback as it is open source.

Have fun out there

Keimos

[DrTandem1]

Basically, you want to strip tags and you want to block new line feeds. Also, I would suggest an "if" statement when the email domain is the same as the site's domain, it kills the script. This will prevent them from launching spam using your web site as the domain.

So, for any text box input, be sure to strip the tags, block the new lines and disallow the domain name to be the same as the site's domain.

One last thing, change the name of the PHP files so that they aren't obviously for an email script. For instance, instead of sendmail.php use wehtkd.php. It doesn't matter what, just avoid words like send, mail, contact, etc.

[mikesmith76]

Thanks for all your comments. DrTandem1 I'm stripping newlines, CC/BCC/Content Type headers from the inputted text so got that part covered, but need some clarification on your first suggestion. When you say check the email domain, do you mean the domain of the inputted email address?

Keimos my purpose is not to use somebody else's tool to create a contact form, I want to secure my own script so I fully understand how it works. As I said in the original post, please dont just suggest I use a secure vesion of formmail.

Thanks for your time everybody, it's really appreciated.

[speed]

It's common for the spam to be sent with a reply address within your domain, so if the contact form was on webproworld.com then the email address they would enter for you contact them by would be something at webproworld.com

[mikesmith76]

thought that's what was meant, thanks for clarifying the issue. speed you seem to have had some experience with this problem (if you are the same speed that posted in the other forum in the link you provided), have you ever seen any tools that can test an email script for vunerabilities?

[speed]

Yes it's me on both forums and yes I've had some experience with this.

Due to the way I built our form code it was happily packing up the spam attempt and emailing it to the site owner as it would any other contact, but it virtually always used an email address within the domain that was being attacked. This caused queries from lots of my clients about what the gibberish was.

I've not seen a tool but in this case you can inject the attack yourself and see what happens, if you’ve got say 3 input fields try injecting the attack via all 3 fields, also don’t rely on JavaScript at all as this seems to be a bot hitting the contact script directly.

[mikesmith76]

No all my validation is done in PHP on the server. The problem is I read the links you mentionned, about inserting a new line with 0x0A, and the server just ignored the entire email. However the script in question is vunerable as it has already been attacked previously, so somebody must be getting it to work.

Just one more comment, am I correct in assuming that I only need to validate data that will end up in the header i.e. the message body is safe from attack?

[speed]

Yes it's a header injection attack, I've not managed to inject data through the body ... yet.

You can always write a bit of PHP to use Curl to attack the script yourself, or create a test harness to wrap around the modules that do the validation and mailing this will allow you to control exactly what data is supplied to the routines under test.

[Keimos]

Hi Mike,

Sorry you took it the wrong way about the fromail suggestion.

Have a look learn and then contact them, they have already spent the time learning what you are trying to find out.

I am not a coder but they are, bite the bullet and contact them as you may benefit from the shared experience.

As before, have fun out there, Learn and understand or do you need >>>>>>>>>>>> http://nms-cgi.sourceforge.net/scripts.shtml a pointer in the right direction.

This forums provides really good for advice but ignore possibly what you would think as ignorant suggestions at your own peril, because life is about learning from others so do it.

Think, Learn, Do
Keimos

[Easywebdev]

The first rule about any form or php, perl, asp script etc is never and I mean NEVER trust user input.

First step, referrer header, check the referrer first, if its not from your site dump it to a blackhole.
If someone has the referrer header turned off then they know why they turned it off and if they want to submit data via a form they will turn it back on.

Step two, validate the data you expect, if its numeric run the input through is_numeric() or similar functions, if it is, then still dont trust it, run that through a regex to see if its in the format you expect, ie, social security numbers adhere to a format, a little search on google will turn up many regular expressions you dont need to code or even understand.

Validate the input versus what you expect to obtain from the form field, if you are expecting an email address then make sure that you run it through a regex that contains a character before a . before possibly another . then the @ symbol then three to four alphanumeric characters, as I mentioned above there are many freely available.

I could go on and on but you get the idea, regular expressions are your friend and everyone who submits your form is an enemy until proved otherwise.

Formmail and most other "off the shelf solutions" work to a point but if you have a complicated form then you are better off programming it yourself and validating EVERY field against the expected data.

When you delve under the hood you will find that the net is a nasty place, leave a potential exploit and someone will run a ton of script kiddie scripts against it.

You might think that if you have a select box with 30 options then they have to submit one of the thirty options, think again.

Trust absolutely NOTHING that can be submitted via a form, at least not until you are sure you are getting data in the format that you expect.

Don't, don't and I mean don't ever use javascript for validation.

If someone really goes to the bother to actually submit valid data via a script you can always use a visual confirmation code.

[vivekar]

I had this problem and started using captcha in my forms. That solved this script injection mess.

http://www.google.com/search?q=captcha

Captcha - Wikipedia

[mikesmith76]

Quote:

Sorry you took it the wrong way about the fromail suggestion.

Keimos I did appreciate that you took the time to post, it's just that I don't want to rely on a pre written script because if it breaks I am at the mercy of someone else, not really good for a business point of view. And thanks for the link, i'll have a read over that.

Easywebdev, vivekar thanks both for your suggestions. I'll have to discuss it with my boss on monday but I think the visual confirmation code may be a good way to stop it once and for all.

And DrTandem1, speed thanks for all your help too, you've all been great!

Mike

[speed]

Quote:

Originally Posted by Easywebdev

First step, referrer header, check the referrer first, if its not from your site dump it to a blackhole.
If someone has the referrer header turned off then they know why they turned it off and if they want to submit data via a form they will turn it back on.

Not so, Norton Internet Security used to and I assume still does ship with the referrer header turned off by default.

Those users probably installed Norton direct from the box and have never looked at the options, they can't submit your form and probably have no idea why or how to enable referrer information.

It's also not exactly hard to fake the referrer and then that check is worthless, in my opinion it's better to concentrate on validating the data rather then risk loosing paying customers because you require they reconfigure their firewall to talk to you.

[mikesmith76]

Quote:

Not so, Norton Internet Security used to and I assume still does ship with the referrer header turned off by default.

Those users probably installed Norton direct from the box and have never looked at the options, they can't submit your form and probably have no idea why or how to enable referrer information.

It's also not exactly hard to fake the referrer and then that check is worthless, in my opinion it's better to concentrate on validating the data rather then risk loosing paying customers because you require they reconfigure their firewall to talk to you.
____________

Well I think the form is pretty secure so far, not included the referrer check tho just input validation. First night after doing it I had four spam attempts, nothing since then so hopefully all good.

[Keimos]

Hi Mike,

There is a referrer in Formmail, yes back onto that. (Please talk or email these guys and let us know how you get on.)
And surprisingly there are ASP programs that do the same job.(And secure)

The original Formmail was not secure and that is why it was taken over and developed by people like yourself.

In no way am I suggesting that you compromise your own program/email script but learn. There are only so many ways that things can be done, especially in a programming environment that will perform what you want without any compromise.

Security is always going to be there as an issue but that depends on the site you are working for. Financial transactions require the utmost (SSL) and then drop down to the other requirements. How do you stop stuff as a company when you are advertising all your contact information as far as you can? As an individual you have some control but when in business you can limit some avenues, control others and then have to accept the rest.

You may not be able to stop all stuff at source but you can snuff it out when it gets to you.

I may be reading to much into this but you have a form and you want to stop spammers.

1. Top rated company
2. Are you a target
3. A minority
4. A business
5. Exclusive
6. Want customers

7. Not a significant problem as I have the Antivirus, spyware and email filters to deal with it.

I know that the emphasis may have changed by the above questions but what are you really looking for that has not already been done?

A thought on the wild side
Keimos