Full Disclosure mailing list archives
Re: Automated mass abuse of form mailers
From: Matthias Kestenholz <lists () irregular ch>
Date: Mon, 12 Sep 2005 15:56:34 +0200
Hi, On Mon, 2005-09-12 at 11:33 +0200, Michael Holzt wrote:
Automated mass abuse of form mailers
[...]
It is therefore advised to check the relevant data fields for newlines inserted and deny sending the mail if any are found. For example the vulnerable script shown above could be added by a check like this: | if ( eregi("\n",$_POST["email"]) || eregi("\r",$_POST["email"]) ) | { | header("HTTP/1.0 403 Forbidden"); | die("Spam attempt denied"); | }
I am blocking these attempts using the following POC in PHP: (it's not too nice but it works) It uses an unique ID stored in the session for input validation. <?php $displayForm = true; if( !isset( $_POST['submit'] ) ) { if( !isset( $_SESSION['form'])) { // set an unique id in the session $_SESSION['form'] = md5(uniqid(time())); } } else { // compare the submitted id and the id stored in the session; // if they are not equal it was probably a scripted attempt // to abuse the email form if( $_POST['text']!='' && $_POST['id']==$_SESSION['form']) { $text = "{$_POST['name']} ({$_POST['email']}) wrote:\n"; $text .= $_POST['text']; // optional: do more checking mail('address () example com', 'Contact form', $text); echo "Thank you!"; $displayForm = false; } } if( $displayForm ) { ?> <form method="post"> <input type="hidden" name="id" value="<?php echo $_SESSION['form'];?>" /> [...more form code] <input type="submit" name="submit" /> </form> <?php } ?> Matthias -- Matthias Kestenholz http://blog.irregular.ch/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Automated mass abuse of form mailers Michael Holzt (Sep 12)
- Re: Automated mass abuse of form mailers Luc Stroobant (Sep 12)
- Re: Automated mass abuse of form mailers n3td3v (Sep 12)
- Re: Automated mass abuse of form mailers Dave Korn (Sep 12)
- Re: Re: Automated mass abuse of form mailers Bipin Gautam (Sep 12)
- Re: Re: Automated mass abuse of form mailers Valdis . Kletnieks (Sep 12)
- RE: Re: Automated mass abuse of form mailers Aditya Deshmukh (Sep 12)
- Re: Re: Automated mass abuse of form mailers Dave Korn (Sep 13)
- Re: Automated mass abuse of form mailers Luc Stroobant (Sep 12)
- Re: Automated mass abuse of form mailers n3td3v (Sep 12)
- Re: Automated mass abuse of form mailers Ron DuFresne (Sep 12)
- <Possible follow-ups>
- Re:Automated mass abuse of form mailers sk (Sep 12)
- Automated mass abuse of form mailers n3td3v (Sep 12)
- Automated mass abuse of form mailers n3td3v (Sep 12)