Jump to content


Photo

HELP:: need help stopping PHP mail INJECTIONS


  • Please log in to reply
7 replies to this topic

#1 pauld_82

pauld_82
  • Members
  • Pip
  • Newbie
  • 5 posts

Posted 23 February 2006 - 03:03 AM

Hi guys,

The other day I was hacked by a 'Injection Bot' on my webserver.

Now I'm receiving about 1000 emails of 'mail subsystem returns' every day from 'aol.com'

Can anyone help me make my PHP mail file more secure?

<?php
//block spam security script
foreach( $_POST as $value ){ 
      if(strpos($value,'Content-Type:') !== FALSE ){ 
        mail('webmaster@scriptsforyou.net','Spammer Bot Attempt on form.php',$_SERVER['REMOTE_ADDR']); 
         exit("{$_SERVER['REMOTE_ADDR']} Has been Recorded. Spam bot attempt"); 
      } 
    } 
//start building the mail string
$msg = "<p><strong>First Name:</strong> $_POST[firstname]</p>";
$msg .= "<p><strong>Surname:</strong> $_POST[surname]</p>";
$msg .= "<p><strong>Phone:</strong> $_POST[phone]</p>";
$msg .= "<p><strong>E-Mail:</strong> $_POST[email]</p>";
$msg .= "<p><strong>Enquiry Type:</strong> $_POST[enquirytype]</p>";
$msg .= "<p><strong>Message:</strong> $_POST[enquiry]</p>";
$msg .= "<p><strong>Where did you find us?</strong> $_POST[findus]</p>";
//set up the mail
$recipient = "me@mysite.com.au";
$subject = "Contact Form Submission Results";
$mailheaders = "MIME-Version: 1.0\r\n";
$mailheaders .= "Content-type: text/html; charset=ISO-8859-1\r\n";
$mailheaders .= "From: The Web Site <me@mysite.com.au> \n";
$mailheaders .= "Reply-To: $_POST[email]";
//send the mail
mail($recipient, $subject, $msg, $mailheaders);

$URL="http://www.mysite.com.au/contactus_thanks.html";
header ("Location: $URL");
?>
<html>
<title>Thanks for contacting My Site</title>
<head></head>
<body>
</body>
</html>    


#2 wickning1

wickning1
  • Members
  • PipPipPip
  • Advanced Member
  • 405 posts

Posted 23 February 2006 - 04:10 AM

Validate $_POST['email'] to make sure it is a single, valid email address (instead of an injection attack, probably containing thousands of email addresses).

This isn't the greatest around but it will work for your purpose. You can look around for a better solution.

function  checkEmail($email) {
 if (!preg_match("/^( [a-zA-Z0-9] )+( [a-zA-Z0-9\._-] )*@( [a-zA-Z0-9_-] )+( [a-zA-Z0-9\._-] +)+$/" , $email)) {
  return false;
 }
 return true;
}


#3 pauld_82

pauld_82
  • Members
  • Pip
  • Newbie
  • 5 posts

Posted 23 February 2006 - 04:22 AM

Hi wickning1

Thanks for your reply, much appreciated!

Do I add this code to the top of my exisiting PHP file?

OR

Do I have to call it somehow?

Here is my new code (it works so I'm hoping that the SPAM stops, comes every 24hours so I will keep you posted I guess, can you tell from looking at the script whether it will work?)

<?php
//block spam security script
foreach( $_POST as $value ){ 
      if(strpos($value,'Content-Type:') !== FALSE ){ 
        mail('webmaster@scriptsforyou.net','Spammer Bot Attempt on form.php',$_SERVER['REMOTE_ADDR']); 
         exit("{$_SERVER['REMOTE_ADDR']} Has been Recorded. Spam bot attempt"); 
      } 
    } 
//start building the mail string
$msg = "<p><strong>First Name:</strong> $_POST[firstname]</p>";
$msg .= "<p><strong>Surname:</strong> $_POST[surname]</p>";
$msg .= "<p><strong>Phone:</strong> $_POST[phone]</p>";
$msg .= "<p><strong>E-Mail:</strong> $_POST[email]</p>";
$msg .= "<p><strong>Enquiry Type:</strong> $_POST[enquirytype]</p>";
$msg .= "<p><strong>Message:</strong> $_POST[enquiry]</p>";
$msg .= "<p><strong>Where did you find us?</strong> $_POST[findus]</p>";
//set up the mail
$recipient = "me@mysite.com.au";
$subject = "Contact Form Submission Results";
$mailheaders = "MIME-Version: 1.0\r\n";
$mailheaders .= "Content-type: text/html; charset=ISO-8859-1\r\n";
$mailheaders .= "From: The my Web Site <me@mysite.com.au> \n";
$mailheaders .= "Reply-To: ".addslashes($_POST['email']); 
//check the email
function  checkEmail($email) {
if (!preg_match("/^( [a-zA-Z0-9] )+( [a-zA-Z0-9\._-] )*@( [a-zA-Z0-9_-] )+( [a-zA-Z0-9\._-] +)+$/" , $email)) {
  return false;
}
return true;
}
//send the mail
mail($recipient, $subject, $msg, $mailheaders);
//redirect page
$URL="http://www.mysite.com.au/contactus_thanks.html";
header ("Location: $URL");
?>
<html>
<title>Thanks for contacting mysite</title>
<head></head>
<body>
</body>
</html>    


#4 wickning1

wickning1
  • Members
  • PipPipPip
  • Advanced Member
  • 405 posts

Posted 23 February 2006 - 02:21 PM

I gave you a function, but you have to call it for it to work.

//send the mail
if (checkEmail($_POST['email'])) mail($recipient, $subject, $msg, $mailheaders);
else echo "Haha you're an attacker, no goodies for you!";
//redirect page


#5 pauld_82

pauld_82
  • Members
  • Pip
  • Newbie
  • 5 posts

Posted 25 February 2006 - 10:04 AM

Call it from where?

I'm really new to all of this :(

#6 kenrbnsn

kenrbnsn
  • Staff Alumni
  • Advanced Member
  • 8,235 posts
  • LocationHillsborough, NJ, USA

Posted 25 February 2006 - 12:09 PM

He gave you the line to use in your script.

Ken

#7 pauld_82

pauld_82
  • Members
  • Pip
  • Newbie
  • 5 posts

Posted 25 February 2006 - 11:17 PM

so both bits of code go in my code, correct?

Because when I did that and tested the form it automatically sent me to the error page.?

#8 pauld_82

pauld_82
  • Members
  • Pip
  • Newbie
  • 5 posts

Posted 28 February 2006 - 07:53 AM

Ok so will this work?

<?php
// start the god damn session
session_start(); // starts the session. Must be at the start of the page
if ($_SESSION[submitted] == 3){ // put whatever number you want here
redirect to error page (use meta-refresh)}
else{
$_SESSION[submitted] = $_SESSION[submitted] + 1; //increment the submit counter
} 
//block spam security script
foreach( $_POST as $value ){ 
      if(strpos($value,'Content-Type:') !== FALSE ){ 
        mail('webmaster@scriptsforyou.net','Spammer Bot Attempt on form.php',$_SERVER['REMOTE_ADDR']); 
         exit("{$_SERVER['REMOTE_ADDR']} Has been Recorded. Spam bot attempt"); 
      } 
    } 
//start building the mail string
$msg = "<p><strong>First Name:</strong> $_POST[firstname]</p>";
$msg .= "<p><strong>Surname:</strong> $_POST[surname]</p>";
$msg .= "<p><strong>Phone:</strong> $_POST[phone]</p>";
$msg .= "<p><strong>E-Mail:</strong> $_POST[email]</p>";
$msg .= "<p><strong>Enquiry Type:</strong> $_POST[enquirytype]</p>";
$msg .= "<p><strong>Message:</strong> $_POST[enquiry]</p>";
$msg .= "<p><strong>Where did you find us?</strong> $_POST[findus]</p>";
//error checking
if (!checkemail($_GET[email])){
$error_msg = "error";
}else if(empty($_GET[firstname])){
$error_msg = "error";
}else if(empty($_GET[surname])){
$error_msg = "error";
}else if(empty($_GET[email])){
$error_msg = "error";
}else if(empty($_GET[enquirytype])){
$error_msg = "error";
}else if(empty($_GET[enquiry])){
$error_msg = "error";
}else if(empty($_GET[findus])){
$error_msg = "error";
}
//error checking
if (!empty($error_msg)){
then it means there is an error in the form
take them back to the form with the error message displayed.
} 
//set up the mail
$recipient = "me@mysite.com.au";
$subject = "Contact Form Submission Results";
$mailheaders = "MIME-Version: 1.0\r\n";
$mailheaders .= "Content-type: text/html; charset=ISO-8859-1\r\n";
$mailheaders .= "From: The Web Site <me@mysite.com.au> \n";
$mailheaders .= "Reply-To: ".addslashes($_POST['email']); 
//check the email
function  checkEmail($email) {
if (!preg_match("/^( [a-zA-Z0-9] )+( [a-zA-Z0-9\._-] )*@( [a-zA-Z0-9_-] )+( [a-zA-Z0-9\._-] +)+$/" , $email)) {
  return false;
}
return true;
}
//send the mail
mail($recipient, $subject, $msg, $mailheaders);
//redirect page
$URL="http://www.thesite.com.au/contactus_thanks.html";
header ("Location: $URL");
?>
<html>
<title>Thanks for contacting the website</title>
<head></head>
<body>
</body>
</html>





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users