RE: [PHP] Is my feedback form being successfully abused?

2005-09-20 Thread Chris W. Parker 
Jochem Maas 
on Tuesday, September 20, 2005 2:37 AM said:

> this 'fairly recent' class of attack is already quite well documented,
> google around for more info.

Actually I did do some googling on it before posting and was relatively
confident that the attempt to exploit the form wasn't actually
successful. I posted to the list to find out if indeed it was being
exploited despite the lack of evidence in the maillog.

> I don't if any mail classes out there deal with this issue for you,
> I wrote a simple function to attempt to check for 'problem' message
> bodies:

Thanks for the code. I'll try to get it implemented soon.


Chris.

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Is my feedback form being successfully abused?

2005-09-20 Thread Jochem Maas 

Chris W. Parker wrote:

Hello,

About a few weeks ago I started seeing three emails that all come at the
same time (within the same minute) that seem to be trying to exploit a
feedback form I have on our website. Everytime someone submits a
feedback form I am sent the information they entered. The To and From
address are hard coded.


that makes no difference, what the spammer is trying to do is pass
mail headers directly in the body of the email you are generating which when
passed to the SMTP server by whatever function/syscall you use will
be interpreted by the SMTP server as a seperate email to be sent.

this 'fairly recent' class of attack is already quite well documented,
google around for more info.

I don't if any mail classes out there deal with this issue for you,
I wrote a simple function to attempt to check for 'problem' message
bodies:

 $v) {
if (strstr($v, $evilStr) !== false) {
return true;
}
}
}
}

// nothing going on!
return false;
}

?>

any comments or improvements to this function are appreciated.



Here is an example message

[begin]
== Name ==

  [EMAIL PROTECTED]

== Agency ==

  [EMAIL PROTECTED]
Content-Type: multipart/mixed; boundary="===1815270735=="
MIME-Version: 1.0
Subject: a8f1a36a
To: [EMAIL PROTECTED]
bcc: [EMAIL PROTECTED]
From: [EMAIL PROTECTED]

This is a multi-part message in MIME format.

--===1815270735==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

thgfxnes
--===1815270735==--


== Email ==

  [EMAIL PROTECTED]

== Comment ==

[EMAIL PROTECTED]
[end]

It seems to me that the attemped exploit is unsuccessful because I
cannot find "dtdegq" or "mhko321" in /var/log/maillog. But I wanted to
send this to the list in case someone knows different.


Thanks,
Chris.



--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php