NYCPHP Meetup

[Billy Reisinger]

Rolan:

Follow Ken's advice immediately.  To me, it looks like they DID  
succeed in hacking your mail script.  I got the same email from one  
of my scripts, and I found out the next day that my hosting company  
had shut down my website - AOL called them  to complain of tons of  
spam coming from my domain, and threatened to blacklist them.

The hack is accomplished by injecting code into one of your fields;  
you have to check for line breaks and other suspicious stuff (like  
Bcc: headers) to make sure that someone isn't trying to inject  
additional recipients into the script.
Here's a great page, detailing how the hack is accomplished:
http://securephp.damonkohler.com/index.php/Email_Injection
Hope this helps!

Take care,
Billy Reisinger


On Sep 11, 2005, at 9:50 AM, Ken Robinson wrote:

> At 09:34 AM 9/11/2005, Rolan Yang wrote:
>
>> A few of my web based feedback (contact.php) scripts have been  
>> getting
>> hammered with some sort of  spam or bot net attack over the past  
>> week.
>> The scripts are running on different servers at different web  
>> hosts, but
>> the garbage coming in has been the same. The "from" field is  
>> filled in
>> with random lower case letters like "kljaogr at domain.com" where  
>> "domain"
>> is the website address. The body field contains the same email  
>> address.
>>
>> Sometimes "Content-Type: multipart/mixed;
>> boundary=\"===============083392.."
>> is appended to the email address in both the "from:" field and  
>> also the
>> body.
>>
>> The submissions are coming from different ip's all over the world.
>> Has anyone else been experiencing anything similar?
>>
>
> Yes. I use the following function
>
> function checkit($name) {
>      return(str_replace(array("\r", "\n", "%OA", "%oa", "%OD", "%od",
> "Content-Type:","BCC:","bcc:"), "", $name));
> }
>
> to render their attempts harmless.
>
> I use the above function with:
>
> $from = '"' . stripslashes(checkit($_POST['contactname'])) . '" <' .
> stripslashes(checkit($_POST['Email'])) . '>';
> $to = "kenrbnsn at kis-web-design.com";
> $headers = "From: " . $from . "\r\n";
> $headers .= "Reply-To: " . stripslashes(checkit($_POST['Email'])) .  
> "\r\n\r\n";
> @mail($to, "Subject goes here", $mail_body, $headers);
>
> They are still trying, but they aren't succeeding to do anything
> malicious. One of the attempts even but their code in my message
> textarea, which wouldn't have done anything anyway since it was in
> the body of the mail message.
>
> Ken
>
> _______________________________________________
> New York PHP Talk Mailing List
> AMP Technology
> Supporting Apache, MySQL and PHP
> http://lists.nyphp.org/mailman/listinfo/talk
> http://www.nyphp.org
>
>
>