#294634 - 07/03/2007 12:54
Web security help needed (injection exploit)
|
carpal tunnel
Registered: 12/11/2001
Posts: 7738
Loc: Toronto, CANADA
|
I have a fairly straight forward PHP script running the contact page on my site here: http://twistedmelon.com/contact/contact.php which is apparently being exploited to send out mail to arbitrary addresses (perhaps the sends are failing, but it's still trying to be exploited nonetheless) Recently I've been receiving a lot of bounced mail back to my domain but it wasn't using a simple spoofed FROM address. I asked the support guys at Dreamhost to look into it for me and this is what they discoved what I mentioned above. The script/page don't allow any free-form input except from address, subject and message body. The wayh a destination address is selected is by picking an entry from a pop-up menu that just contains a value for a simple variable. That value is not actually the address. That variable is then used internally in the script to pick an address. The destination addresses are hard-coded in the script and are processed only server-side. I didn't think this was exploitable but I'm no PHP or web security expert. Here's what Dreamhost staff wrote back to me: Quote:
After further review, I take back the spoofing statement. It does actually seem like the spammers are exploiting a script on your account. From our mail logs, where is what I found about that specific email: /var/log/mail.log:Mar 6 09:25:14 alondra postfix/pickup[6833]: 2CF7830538: uid=654843 from=<hybrid8> /var/log/mail.log:Mar 6 09:25:14 alondra postfix/cleanup[5301]: 2CF7830538: message-id=<20070306172514.2CF7830538@alondra.dreamhost.com> /var/log/mail.log:Mar 6 09:25:14 alondra postfix/cleanup[5301]: 2CF7830538: to=<unknown>, relay=none, delay=0, status=bounced (No recipients specified) alondra: 0
which corresponds to this entry in your access log for twistedmelon.com: /home/hybrid8/logs/twistedmelon.com/http/access.log:216.133.248.226 - - [06/Mar/2007:09:25:14 -0800] "POST /contact/contact.php HTTP/1.0" 200 0 "http://twistedmelon.com/contact/contact.php?to=sales&subject=Alternate%2 0Payment%20Gateway%20Requested" "Opera/9.0 (Windows NT 5.1; U; en)"
It looks like your contact form is getting exploited. Luckily we have put in a fix in our mod_security setup to stop this. However you will need to turn ON mod_security in order for it shield your contact script from common injection attacks . To turn on mod_security for your domain, just click "extra security" for your domain after you click the tool under the "web hosting" column
Other than turning on this option they mention, is there any way to secure my script via the way it's written/implemented? I'd like to know if only for my own sanity. There may also be a problem with the Mint statistic tracking installation with this option set (which I'm about to confirm).
I can provide the source for the script in PM or email if anyone can help. Thanks.
|
Top
|
|
|
|
#294635 - 07/03/2007 12:59
Re: Web security help needed (injection exploit)
[Re: hybrid8]
|
carpal tunnel
Registered: 24/12/2001
Posts: 5528
|
Do you actually fill in the From and Subject in the email headers with the stuff entered by the user?
|
Top
|
|
|
|
#294636 - 07/03/2007 13:26
Re: Web security help needed (injection exploit)
[Re: tman]
|
carpal tunnel
Registered: 12/11/2001
Posts: 7738
Loc: Toronto, CANADA
|
I do fill in from and subject from what's entered in the form, but also pass through some validation. I've done some reading and testing. The From field is secure because of email validation I employ. Subject is secure because it's stripped of new lines by the mail function in PHP. The problem field turns out to be a Name field that I use for a person's plaintext name along with their address. I have to check what types of filters I put it through and adjust accordingly. This is what I've been reading for reference: http://www.securephpwiki.com/index.php/Email_Injection
|
Top
|
|
|
|
#294637 - 07/03/2007 13:58
Re: Web security help needed (injection exploit)
[Re: tman]
|
carpal tunnel
Registered: 12/11/2001
Posts: 7738
Loc: Toronto, CANADA
|
Ok, what I have done now was to create a function that checks for injected content by looking for /r and /n in passed variables. If found, I clear the variable. The function returns back the variable.
Therefore if anything has been injected into any of the fields that will be used in the mail function they will cause the form to fail and complain that nothing was entered into those form fields.
Please try it out if you have the chance. The only field I'm not checking is the message body, but I haven't been able to exploit it with this method.
|
Top
|
|
|
|
#294638 - 07/03/2007 14:28
Re: Web security help needed (injection exploit)
[Re: hybrid8]
|
carpal tunnel
Registered: 19/01/2002
Posts: 3584
Loc: Columbus, OH
|
This is what I use: Code:
if(eregi("MIME-Version: ",$email.$subject.$comments)){die('Get out, spammer.');} if(eregi("Content-type: ",$email.$subject.$comments)){die('Get out, spammer.');} if (eregi("\r",$email) || eregi("\n",$email)) { die("Get out, spammer."); } if (eregi("\r",$subject) || eregi("\n",$subject)) { die("Get out, spammer."); }
if (!ereg('^[-!#$%&\'*+\\./0-9=?A-Z^_`a-z{|}~]+'. '@' . '[-!#$%&\'*+\\/0-9=?A-Z^_`a-z{|}~]+\.' . '[-!#$%&\'*+\\./0-9=?A-Z^_`a-z{|}~]+$', $email)) { header("Location: http://www.mydomain.com/template/mailer_failure.php"); exit(); }
Where $email is their email address, $subject is subject, and $comments is the body of the message.
|
Top
|
|
|
|
#294639 - 07/03/2007 14:53
Re: Web security help needed (injection exploit)
[Re: JBjorgen]
|
carpal tunnel
Registered: 12/11/2001
Posts: 7738
Loc: Toronto, CANADA
|
I'm using this function Code:
function blankInject ($value) { $value = urldecode($value); if (eregi("(\r|\n)", $value)) { $value=""; } return $value; }
I call it like this: $vartocheck = blankInject ($vartocheck); Which essentially accomplishes the same thing. In this way I can act on the condition by using the mechanism I already have in place to prevent blank fields, thereby keeping the person on the form page. I have also implemented the same mechanism in our shopping cart for fields that are used in email as well as other fields. Those other fields wouldn't allow any email injection, but this hopefully prevents some auto-complete functions in browsers from inserting carriage returns and double addresses (which I've found a few of here and there). I'd really appreciate it if you guys could test both the contact form as well as shop page. For the shop, as long as you don't process anything with paypal you won't be affecting us nor getting charged anything. Just put a note into the notes field that says "empeg" or something so I know it's being tested by people here. http://twistedmelon.com/contact/contact.phphttp://twistedmelon.com/shop (you have to add a hardware item to see the address fields) Thanks again for help.
|
Top
|
|
|
|
#294640 - 07/03/2007 15:48
Re: Web security help needed (injection exploit)
[Re: JBjorgen]
|
carpal tunnel
Registered: 12/11/2001
Posts: 7738
Loc: Toronto, CANADA
|
Can either of you guys for the regexp necessary to check for a substring and return back the number of times is occurs in a variable?
I'd like to check the body of the email for multiple occurences of "http:" and then based on how many it finds, reject the email as spam.
I'm getting spam delivered to all my mailboxes now through the contact form. 99% of it includes a ton of links.
|
Top
|
|
|
|
#294641 - 07/03/2007 15:52
Re: Web security help needed (injection exploit)
[Re: hybrid8]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
The return value of preg_match_all() is the number of times it matches.
_________________________
Bitt Faulk
|
Top
|
|
|
|
#294642 - 07/03/2007 16:05
Re: Web security help needed (injection exploit)
[Re: wfaulk]
|
carpal tunnel
Registered: 12/11/2001
Posts: 7738
Loc: Toronto, CANADA
|
I did a search right after posting and found substr_count which I used to accomplish what I wanted. Any drawback to that function?
In looking at all the spam that has come in this way this week, only two messages contain 3 or less http links.
I don't have any ideas right now on how to block everything. Those two messages did include HTML, so if I did a search for HTML tags I could also cut those out I suppose.
Bruno
|
Top
|
|
|
|
#294643 - 07/03/2007 16:05
Re: Web security help needed (injection exploit)
[Re: hybrid8]
|
carpal tunnel
Registered: 30/04/2000
Posts: 3810
|
A paranoid solution to your problem.
Step 1: it's not what you reject, it's what you allow in. Rather than rejecting newlines, you should have a list of acceptable characters. Anything outside that list is converted to whitespace or escaped with %-notation or something.
Step 2: if you only want to support email to a small list of email addresses, then hardcode those in your script on the server side. If the web form mentions any address that's not in your list, ignore the user input and send it to a default address.
|
Top
|
|
|
|
#294644 - 07/03/2007 16:13
Re: Web security help needed (injection exploit)
[Re: hybrid8]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
substr_count() is actually probably more efficient.
_________________________
Bitt Faulk
|
Top
|
|
|
|
#294645 - 07/03/2007 16:36
Re: Web security help needed (injection exploit)
[Re: DWallach]
|
carpal tunnel
Registered: 19/01/2002
Posts: 3584
Loc: Columbus, OH
|
Quote: if you only want to support email to a small list of email addresses, then hardcode those in your script on the server side. If the web form mentions any address that's not in your list, ignore the user input and send it to a default address.
Dan, it's not the email address who the message is to, but the email address who it is from that is usually the problem. Because the headers are modified to make it look like the message has come directly from that email address, rather than the web server, spammers often use it to inject additional headers into the message.
Also, re: Step 1, the last regex in my tests does just that for email addresses. I can't take credit for coming up with it, but it will supposedly only allow RFC 2822 compliant addresses.
Bruno, you may want to check for the "Mime-Version: " and "Content-type: " keywords as well, since they are clear indications that someone is trying to use your script for spam. They should not be present in any legitimate message that's entered into your form.
_________________________
~ John
|
Top
|
|
|
|
#294646 - 07/03/2007 17:15
Re: Web security help needed (injection exploit)
[Re: JBjorgen]
|
carpal tunnel
Registered: 12/11/2001
Posts: 7738
Loc: Toronto, CANADA
|
I'm going to add those two in the checks as well (content and mime). Thanks again everyone. I've added a substring match to block an href as well. We'll see how this goes.
Remember there were two issues. One was the exploit which was fixed by extra filtering on the fields for newlines and returns. And the other is just spammers sending ME spam through my own form. Which is what the substring matches were for.
The TO addresses are all hardcoded and as John mentioned, it's an injection attack using other fields. In the case of my form, only the Proper Name field was vulnerable on my script. I already handled the username & domain portion of the FROM (it had to be exactly ONE completely valid email address format at a resolvable domain).
With the added stuff it now also rejects content that would otherwise not cause a problem but that spammers might have tried anyway.
|
Top
|
|
|
|
#294647 - 07/03/2007 17:55
Re: Web security help needed (injection exploit)
[Re: JBjorgen]
|
carpal tunnel
Registered: 30/04/2000
Posts: 3810
|
Quote: Dan, it's not the email address who the message is to, but the email address who it is from that is usually the problem.
Fair enough. My other point about having a list of allowed characters, rather than a list of forbidden characters, remains important, although I suppose all of this gets more complicated if you want to correctly deal with non-Western languages.
|
Top
|
|
|
|
|
|