Jump to content

Archived

This topic is now archived and is closed to further replies.

pauld_82

HELP:: need help stopping PHP mail INJECTIONS

Recommended Posts

Hi guys,

The other day I was hacked by a 'Injection Bot' on my webserver.

Now I'm receiving about 1000 emails of 'mail subsystem returns' every day from 'aol.com'

Can anyone help me make my PHP mail file more secure?

[code]<?php
//block spam security script
foreach( $_POST as $value ){
      if(strpos($value,'Content-Type:') !== FALSE ){
        mail('webmaster@scriptsforyou.net','Spammer Bot Attempt on form.php',$_SERVER['REMOTE_ADDR']);
         exit("{$_SERVER['REMOTE_ADDR']} Has been Recorded. Spam bot attempt");
      }
    }
//start building the mail string
$msg = "<p><strong>First Name:</strong> $_POST[firstname]</p>";
$msg .= "<p><strong>Surname:</strong> $_POST[surname]</p>";
$msg .= "<p><strong>Phone:</strong> $_POST[phone]</p>";
$msg .= "<p><strong>E-Mail:</strong> $_POST[email]</p>";
$msg .= "<p><strong>Enquiry Type:</strong> $_POST[enquirytype]</p>";
$msg .= "<p><strong>Message:</strong> $_POST[enquiry]</p>";
$msg .= "<p><strong>Where did you find us?</strong> $_POST[findus]</p>";
//set up the mail
$recipient = "me@mysite.com.au";
$subject = "Contact Form Submission Results";
$mailheaders = "MIME-Version: 1.0\r\n";
$mailheaders .= "Content-type: text/html; charset=ISO-8859-1\r\n";
$mailheaders .= "From: The Web Site <me@mysite.com.au> \n";
$mailheaders .= "Reply-To: $_POST[email]";
//send the mail
mail($recipient, $subject, $msg, $mailheaders);

$URL="http://www.mysite.com.au/contactus_thanks.html";
header ("Location: $URL");
?>
<html>
<title>Thanks for contacting My Site</title>
<head></head>
<body>
</body>
</html>    [/code]

Share this post


Link to post
Share on other sites
Validate $_POST['email'] to make sure it is a single, valid email address (instead of an injection attack, probably containing thousands of email addresses).

This isn't the greatest around but it will work for your purpose. You can look around for a better solution.

[code]function  checkEmail($email) {
if (!preg_match("/^( [a-zA-Z0-9] )+( [a-zA-Z0-9\._-] )*@( [a-zA-Z0-9_-] )+( [a-zA-Z0-9\._-] +)+$/" , $email)) {
  return false;
}
return true;
}
[/code]

Share this post


Link to post
Share on other sites
Hi wickning1

Thanks for your reply, much appreciated!

Do I add this code to the top of my exisiting PHP file?

OR

Do I have to call it somehow?

Here is my new code (it works so I'm hoping that the SPAM stops, comes every 24hours so I will keep you posted I guess, can you tell from looking at the script whether it will work?)

[code]
<?php
//block spam security script
foreach( $_POST as $value ){
      if(strpos($value,'Content-Type:') !== FALSE ){
        mail('webmaster@scriptsforyou.net','Spammer Bot Attempt on form.php',$_SERVER['REMOTE_ADDR']);
         exit("{$_SERVER['REMOTE_ADDR']} Has been Recorded. Spam bot attempt");
      }
    }
//start building the mail string
$msg = "<p><strong>First Name:</strong> $_POST[firstname]</p>";
$msg .= "<p><strong>Surname:</strong> $_POST[surname]</p>";
$msg .= "<p><strong>Phone:</strong> $_POST[phone]</p>";
$msg .= "<p><strong>E-Mail:</strong> $_POST[email]</p>";
$msg .= "<p><strong>Enquiry Type:</strong> $_POST[enquirytype]</p>";
$msg .= "<p><strong>Message:</strong> $_POST[enquiry]</p>";
$msg .= "<p><strong>Where did you find us?</strong> $_POST[findus]</p>";
//set up the mail
$recipient = "me@mysite.com.au";
$subject = "Contact Form Submission Results";
$mailheaders = "MIME-Version: 1.0\r\n";
$mailheaders .= "Content-type: text/html; charset=ISO-8859-1\r\n";
$mailheaders .= "From: The my Web Site <me@mysite.com.au> \n";
$mailheaders .= "Reply-To: ".addslashes($_POST['email']);
//check the email
function  checkEmail($email) {
if (!preg_match("/^( [a-zA-Z0-9] )+( [a-zA-Z0-9\._-] )*@( [a-zA-Z0-9_-] )+( [a-zA-Z0-9\._-] +)+$/" , $email)) {
  return false;
}
return true;
}
//send the mail
mail($recipient, $subject, $msg, $mailheaders);
//redirect page
$URL="http://www.mysite.com.au/contactus_thanks.html";
header ("Location: $URL");
?>
<html>
<title>Thanks for contacting mysite</title>
<head></head>
<body>
</body>
</html>    [/code]

Share this post


Link to post
Share on other sites
I gave you a function, but you have to call it for it to work.

//send the mail
if (checkEmail($_POST['email'])) mail($recipient, $subject, $msg, $mailheaders);
else echo "Haha you're an attacker, no goodies for you!";
//redirect page

Share this post


Link to post
Share on other sites
so both bits of code go in my code, correct?

Because when I did that and tested the form it automatically sent me to the error page.?

Share this post


Link to post
Share on other sites
Ok so will this work?

[code]<?php
// start the god damn session
session_start(); // starts the session. Must be at the start of the page
if ($_SESSION[submitted] == 3){ // put whatever number you want here
redirect to error page (use meta-refresh)}
else{
$_SESSION[submitted] = $_SESSION[submitted] + 1; //increment the submit counter
}
//block spam security script
foreach( $_POST as $value ){
      if(strpos($value,'Content-Type:') !== FALSE ){
        mail('webmaster@scriptsforyou.net','Spammer Bot Attempt on form.php',$_SERVER['REMOTE_ADDR']);
         exit("{$_SERVER['REMOTE_ADDR']} Has been Recorded. Spam bot attempt");
      }
    }
//start building the mail string
$msg = "<p><strong>First Name:</strong> $_POST[firstname]</p>";
$msg .= "<p><strong>Surname:</strong> $_POST[surname]</p>";
$msg .= "<p><strong>Phone:</strong> $_POST[phone]</p>";
$msg .= "<p><strong>E-Mail:</strong> $_POST[email]</p>";
$msg .= "<p><strong>Enquiry Type:</strong> $_POST[enquirytype]</p>";
$msg .= "<p><strong>Message:</strong> $_POST[enquiry]</p>";
$msg .= "<p><strong>Where did you find us?</strong> $_POST[findus]</p>";
//error checking
if (!checkemail($_GET[email])){
$error_msg = "error";
}else if(empty($_GET[firstname])){
$error_msg = "error";
}else if(empty($_GET[surname])){
$error_msg = "error";
}else if(empty($_GET[email])){
$error_msg = "error";
}else if(empty($_GET[enquirytype])){
$error_msg = "error";
}else if(empty($_GET[enquiry])){
$error_msg = "error";
}else if(empty($_GET[findus])){
$error_msg = "error";
}
//error checking
if (!empty($error_msg)){
then it means there is an error in the form
take them back to the form with the error message displayed.
}
//set up the mail
$recipient = "me@mysite.com.au";
$subject = "Contact Form Submission Results";
$mailheaders = "MIME-Version: 1.0\r\n";
$mailheaders .= "Content-type: text/html; charset=ISO-8859-1\r\n";
$mailheaders .= "From: The Web Site <me@mysite.com.au> \n";
$mailheaders .= "Reply-To: ".addslashes($_POST['email']);
//check the email
function  checkEmail($email) {
if (!preg_match("/^( [a-zA-Z0-9] )+( [a-zA-Z0-9\._-] )*@( [a-zA-Z0-9_-] )+( [a-zA-Z0-9\._-] +)+$/" , $email)) {
  return false;
}
return true;
}
//send the mail
mail($recipient, $subject, $msg, $mailheaders);
//redirect page
$URL="http://www.thesite.com.au/contactus_thanks.html";
header ("Location: $URL");
?>
<html>
<title>Thanks for contacting the website</title>
<head></head>
<body>
</body>
</html>[/code]

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.