[SOLVED] Beta PHP Script

sawade · September 7, 2009

Added some more into the robot file.

darkfreaks · September 7, 2009

what did you add ? still is vunerable

sawade · September 9, 2009

disallowed certain files... did some more today to the htaccess file. Boss said it's done. How many attacks is it at now??? Thanks.

darkfreaks · September 9, 2009

one attack:

Affected Items:

/secureforms/forms/demo/hipaaprivacy.php (POST lname=&fname=&mname=&ssn=987-65-4329&dobmon=&dobday=&dobyr=&sign=&email=sample%40email%2Etst&papercopy=Yes&verify=&submit=Send%20to%20Doctor)

sawade · September 10, 2009

Hmm I wonder why that form is vunerable. :confused: It is coded the same way as all the others. Hmmm.

darkfreaks · September 10, 2009

in the robots.txt file do you have

User-agent: *
Disallow: /secureforms/forms/demo/hipaaprivacy.php

User-agent: *
Disallow: secureforms/forms/demo/hipaaprivacy.php

User-agent: *
Disallow: /forms/demo/hipaaprivacy.php
User-agent: *
Disallow: forms/demo/hipaaprivacy.php

User-agent: *
Disallow:/demo/hipaaprivacy.php

User-agent: *
Disallow: demo/hipaaprivacy.php
User-agent: *
Disallow: demo/hipaaprivacy.php

User-agent: *
Disallow: hipaaprivacy.php

one of these is bound to work

sawade · September 10, 2009

Disallow: /secureforms/forms/demo/hipaaprivacy.php

I do it like this. As well as each folder by hierarchy. As well as list each form.

I changed it so that each folder is under a new

User-agent: *

darkfreaks · September 10, 2009

To exclude all robots from the server:

User-agent: *
Disallow: /

try this

sawade · September 10, 2009

Have it.

darkfreaks · September 10, 2009

Appearantly it is recognizing that there is a hole in the email input on the form.

sawade · September 10, 2009

OKay... email input field.... lets see... :examine:

maxlength - :thumb-up:

variable used strip_tags() - :thumb-up:

variable passes thru validation - :thumb-up:

no email addresses on page - :thumb-up:

.htaccess protects email constants - :thumb-up:

directories password protected - :thumb-up:

Can't think of anything else.

darkfreaks · September 10, 2009

validation?

like this?

<?php
function is_valid_email($email) {
  return preg_match('#^[a-z0-9.!\#$%&\'*+-/=?^_`{|}~]+@([0-9.]+|([^\s]+\.+[a-z]{2,6}))$#si', $email);
}

if (!is_valid_email($email)) {
  echo 'Sorry, invalid email';
  exit;
}
?>

sawade · September 10, 2009

<?php

class EmailAddressValidator {

public function check_email_address($strEmailAddress) {

// Control characters are not allowed

if (preg_match('/[\x00-\x1F\x7F-\xFF]/', $strEmailAddress)) {

return false;

}

// Check email length - min 3 (a@a), max 256

if (!$this->check_text_length($strEmailAddress, 3, 256)) {

return false;

}

// Split it into sections using last instance of "@"

$intAtSymbol = strrpos($strEmailAddress, '@');

if ($intAtSymbol === false) {

// No "@" symbol in email.

return false;

}

$arrEmailAddress[0] = substr($strEmailAddress, 0, $intAtSymbol);

$arrEmailAddress[1] = substr($strEmailAddress, $intAtSymbol + 1);

$arrTempAddress[0] = preg_replace('/\./'

,''

,$arrEmailAddress[0]);

$arrTempAddress[0] = preg_replace('/"[^"]+"/'

,''

,$arrTempAddress[0]);

$arrTempAddress[1] = $arrEmailAddress[1];

$strTempAddress = $arrTempAddress[0] . $arrTempAddress[1];

// Then check - should be no "@" symbols.

if (strrpos($strTempAddress, '@') !== false) {

// "@" symbol found

return false;

}

// Check local portion

if (!$this->check_local_portion($arrEmailAddress[0])) {

return false;

}

// Check domain portion

if (!$this->check_domain_portion($arrEmailAddress[1])) {

return false;

}

// If we're still here, all checks above passed. Email is valid.

return true;

}

protected function check_local_portion($strLocalPortion) {

if (!$this->check_text_length($strLocalPortion, 1, 64)) {

return false;

}

$arrLocalPortion = explode('.', $strLocalPortion);

for ($i = 0, $max = sizeof($arrLocalPortion); $i < $max; $i++) {

if (!preg_match('.^('

. '([A-Za-z0-9!#$%&\'*+/=?^_`{|}~-]'

. '[A-Za-z0-9!#$%&\'*+/=?^_`{|}~-]{0,63})'

.'|'

. '("[^\\\"]{0,62}")'

.')$.'

,$arrLocalPortion[$i])) {

return false;

}

return true;

}

protected function check_domain_portion($strDomainPortion) {

// Total domain can only be from 1 to 255 characters, inclusive

if (!$this->check_text_length($strDomainPortion, 1, 255)) {

return false;

}

// Check if domain is IP, possibly enclosed in square brackets.

if (preg_match('/^(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])'

.'(\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])){3}$/'

,$strDomainPortion) ||

preg_match('/^\[(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])'

.'(\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])){3}\]$/'

,$strDomainPortion)) {

return true;

} else {

$arrDomainPortion = explode('.', $strDomainPortion);

if (sizeof($arrDomainPortion) < 2) {

return false; // Not enough parts to domain

}

for ($i = 0, $max = sizeof($arrDomainPortion); $i < $max; $i++) {

// Each portion must be between 1 and 63 characters, inclusive

if (!$this->check_text_length($arrDomainPortion[$i], 1, 63)) {

return false;

}

if (!preg_match('/^(([A-Za-z0-9][A-Za-z0-9-]{0,61}[A-Za-z0-9])|'

.'([A-Za-z0-9]+))$/', $arrDomainPortion[$i])) {

return false;

}

if ($i == $max - 1) { // TLD cannot be only numbers

if (strlen(preg_replace('/[0-9]/', '', $arrDomainPortion[$i])) <= 0) {

return false;

}

return true;

}

protected function check_text_length($strText, $intMinimum, $intMaximum) {

// Minimum and maximum are both inclusive

$intTextLength = strlen($strText);

if (($intTextLength < $intMinimum) || ($intTextLength > $intMaximum)) {

return false;

} else {

return true;

}

?>

sawade · September 10, 2009

Grr darn it...

<?php
    class EmailAddressValidator {

        public function check_email_address($strEmailAddress) {

            // Control characters are not allowed
            if (preg_match('/[\x00-\x1F\x7F-\xFF]/', $strEmailAddress)) {
                return false;
            }

            // Check email length - min 3 (a@a), max 256
            if (!$this->check_text_length($strEmailAddress, 3, 256)) {
                return false;
            }

            // Split it into sections using last instance of "@"
            $intAtSymbol = strrpos($strEmailAddress, '@');
            if ($intAtSymbol === false) {
                // No "@" symbol in email.
                return false;
            }
            $arrEmailAddress[0] = substr($strEmailAddress, 0, $intAtSymbol);
            $arrEmailAddress[1] = substr($strEmailAddress, $intAtSymbol + 1);

            $arrTempAddress[0] = preg_replace('/\./'
                                             ,''
                                             ,$arrEmailAddress[0]);
            $arrTempAddress[0] = preg_replace('/"[^"]+"/'
                                             ,''
                                             ,$arrTempAddress[0]);
            $arrTempAddress[1] = $arrEmailAddress[1];
            $strTempAddress = $arrTempAddress[0] . $arrTempAddress[1];
            // Then check - should be no "@" symbols.
            if (strrpos($strTempAddress, '@') !== false) {
                // "@" symbol found
                return false;
            }

            // Check local portion
            if (!$this->check_local_portion($arrEmailAddress[0])) {
                return false;
            }

            // Check domain portion
            if (!$this->check_domain_portion($arrEmailAddress[1])) {
                return false;
            }

            // If we're still here, all checks above passed. Email is valid.
            return true;

        }

        protected function check_local_portion($strLocalPortion) {

            if (!$this->check_text_length($strLocalPortion, 1, 64)) {
                return false;
            }

            $arrLocalPortion = explode('.', $strLocalPortion);
            for ($i = 0, $max = sizeof($arrLocalPortion); $i < $max; $i++) {
                 if (!preg_match('.^('
                                .    '([A-Za-z0-9!#$%&\'*+/=?^_`{|}~-]' 
                                .    '[A-Za-z0-9!#$%&\'*+/=?^_`{|}~-]{0,63})'
                                .'|'
                                .    '("[^\\\"]{0,62}")'
                                .')$.'
                                ,$arrLocalPortion[$i])) {
                    return false;
                }
            }
            return true;
        }

        protected function check_domain_portion($strDomainPortion) {
            // Total domain can only be from 1 to 255 characters, inclusive
            if (!$this->check_text_length($strDomainPortion, 1, 255)) {
                return false;
            }
            // Check if domain is IP, possibly enclosed in square brackets.
            if (preg_match('/^(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])'
               .'(\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])){3}$/'
               ,$strDomainPortion) || 
                preg_match('/^\[(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])'
               .'(\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])){3}\]$/'
               ,$strDomainPortion)) {
                return true;
            } else {
                $arrDomainPortion = explode('.', $strDomainPortion);
                if (sizeof($arrDomainPortion) < 2) {
                    return false; // Not enough parts to domain
                }
                for ($i = 0, $max = sizeof($arrDomainPortion); $i < $max; $i++) {
                    // Each portion must be between 1 and 63 characters, inclusive
                    if (!$this->check_text_length($arrDomainPortion[$i], 1, 63)) {
                        return false;
                    }
                    if (!preg_match('/^(([A-Za-z0-9][A-Za-z0-9-]{0,61}[A-Za-z0-9])|'
                       .'([A-Za-z0-9]+))$/', $arrDomainPortion[$i])) {
                        return false;
                    }
                    if ($i == $max - 1) { // TLD cannot be only numbers
                        if (strlen(preg_replace('/[0-9]/', '', $arrDomainPortion[$i])) <= 0) {
                            return false;
                        }
                    }
                }
            }
            return true;
        }

        protected function check_text_length($strText, $intMinimum, $intMaximum) {
            // Minimum and maximum are both inclusive
            $intTextLength = strlen($strText);
            if (($intTextLength < $intMinimum) || ($intTextLength > $intMaximum)) {
                return false;
            } else {
                return true;
            }
        }

    }

?>

darkfreaks · September 10, 2009

i dont think its that either. what it is doing is putting

[email protected]

in the URL.

so it passes validation but still registers as spam

sawade · September 10, 2009

Interesting. I don't think I need to worry about it, in the future these forms will be moved into a login area, that along with the captcha should remove any threats from spam. Wouldn't you think?

darkfreaks · September 10, 2009

appearantly i was wrong it is the validation look

email= %sample40email%2Ets

sawade · September 10, 2009

My thing is why is it only attacking this form? All the forms use this validation.

darkfreaks · September 10, 2009

i got this from phpclasses

anti spambot class:

<?php
/**
+-------------------------------------------------------------------------
+---------------------->> In The Name Of Allah <<-------------------------
+-------------------------------------------------------------------------
| Class AntiIFLSpamBotEmail version 0.0.1  (for php 5++)
| Security Email Print 100% Protected For Spam Bot
| Anti Span Bot Email by ASCII
| Author  Behrouz Pooladrag  (IFLashLord) <Me [at] IFLashLord [dot] Com>
| Email bugs/suggestions to  Me [at] iflashlord.com
| Copyright (c) 2008 By Behrouz Pooladrag ,IFLashLord Co.
+-------------------------------------------------------------------------
| This script has been created and released under
| the GNU GPL and is free to use and redistribute
| only if this copyright statement is not removed
+-------------------------------------------------------------------------
+--------------| Contact 2 Behrouz Pooladrag |----------------------------
| Email : Me [ at ] IFLashLord [dot] Com
| WebSite : http://www.IFLashLord.Com
| Yahoo : BehrouzPC [at] yahoo.Com
| G-Mail : FLashLordX [at] gmail.Com
| Mobile : +98 913 12 777 14
+-------------------------------------------------------------------------
| (Zakate Elame Nasher Aan Ast )
+-------------------------------------------------------------------------
**/
/*
+--------------| arguments |----------------------------------------------
|*new AntiIFLSpamBotEmail (string [Email Address for AntiSpam]);
||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|*AntiIFLSpamBotEmail->antispambot([integer Number]);
| Number 0  ---> For Show Email text Print
| Number 1  ---> For Set Email to Link (mailto:..)
| Number 2  ---> Return Randomly Part Of Eamil in Hexadecimal
+-------------------------------------------------------------------------
*/



/* Full Exampel of This Class

$antiSpambotBehrouzpc=new AntiIFLSpamBotEmail("[email protected]"); //start class
$EmailForShow=$antiSpambotBehrouzpc->antispambot(0);  // for show mode return
$EmailForLink=$antiSpambotBehrouzpc->antispambot(1);  // for link mode return
print "<a href='mailto:".$EmailForLink."'>".$EmailForShow."</a>"; //and Print

*/

/* Result is this Type

<a href='mailto:&#98;&#101;h&#114;%6f%75zpc&#64;y&#97;%68o&#111;%2e&#99;%6f%6d'>
&#98;eh&#114;&#111;&#117;&#122;pc&#64;&#121;aho&#111;.&#99;om</a>

*/

/////////////////////////////////////////////////////


//Start Class
class AntiIFLSpamBotEmail {

const VERSION = '0.0.1';
public $emailaddy;

//construct
function __construct ($emailaddy) {
   $this->emailaddy=$emailaddy;
}//end function construct

//function to add leading zeros when necessary
public function zeroise($number,$threshold) {
	return sprintf('%0'.$threshold.'s', $number);
}//end function

    //function to change words To ASCII Random
public function antispambot($mailto=0) {
	$emailNOSPAMaddy = '';
	srand ((float) microtime() * 1000000);
	for ($i = 0; $i < strlen($this->emailaddy); $i = $i + 1) {
		$j = floor(rand(0, 1+$mailto));
		if ($j==0) {
			$emailNOSPAMaddy .= '&#'.ord(substr($this->emailaddy,$i,1)).';';
		} elseif ($j==1) {
			$emailNOSPAMaddy .= substr($this->emailaddy,$i,1);
		} elseif ($j==2) {
			$emailNOSPAMaddy .= '%'.$this->zeroise(dechex(ord(substr($this->emailaddy, $i, 1))), 2);
		}
	}
	$emailNOSPAMaddy = str_replace('@','&#64;',$emailNOSPAMaddy);
	return $emailNOSPAMaddy;
}//end function

}//end Class

?>

example:

<?php
    include_once("antiSpamEmail-IFLashLord-php5.php");
    //include_once("antiSpamEmail-IFLashLord-php4.php");
    //Start Example
    $antiSpambotBehrouzpc=new AntiIFLSpamBotEmail("[email protected]"); //start class
    $EmailForShow=$antiSpambotBehrouzpc->antispambot(0);  // for show mode return
    $EmailForLink=$antiSpambotBehrouzpc->antispambot(1);  // for link mode return
    print "<a href='mailto:".$EmailForLink."'>".$EmailForShow."</a>"; //and Print

?>

sawade · September 10, 2009

We will be creating something like this in the future. Is why we IP log everything on the site.

darkfreaks · September 10, 2009

ahok feel free to use it

sawade · September 10, 2009

I appreciate the help. You've been great.

sawade · September 10, 2009

To allow Google...

User-agent: Google
Disallow:

sawade · September 10, 2009

Wrong place. LOL. Disregard previous post. ::)

Sign In

[SOLVED] Beta PHP Script

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Important Information