| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon Sep 12 14:56:44 2005
From: lists at irregular.ch (Matthias Kestenholz)
Subject: Automated mass abuse of form mailers
Hi,
On Mon, 2005-09-12 at 11:33 +0200, Michael Holzt wrote:
> Automated mass abuse of form mailers
[...]
> It is therefore advised to check the relevant data fields for newlines
> inserted and deny sending the mail if any are found. For example the
> vulnerable script shown above could be added by a check like this:
>
> | if ( eregi("\n",$_POST["email"]) || eregi("\r",$_POST["email"]) )
> | {
> | header("HTTP/1.0 403 Forbidden");
> | die("Spam attempt denied");
> | }
>
I am blocking these attempts using the following POC in PHP: (it's not
too nice but it works) It uses an unique ID stored in the session for
input validation.
<?php
$displayForm = true;
if( !isset( $_POST['submit'] ) ) {
if( !isset( $_SESSION['form'])) {
// set an unique id in the session
$_SESSION['form'] = md5(uniqid(time()));
}
} else {
// compare the submitted id and the id stored in the session;
// if they are not equal it was probably a scripted attempt
// to abuse the email form
if( $_POST['text']!='' && $_POST['id']==$_SESSION['form']) {
$text = "{$_POST['name']} ({$_POST['email']}) wrote:\n";
$text .= $_POST['text'];
// optional: do more checking
mail('address@...mple.com', 'Contact form', $text);
echo "Thank you!";
$displayForm = false;
}
}
if( $displayForm ) {
?>
<form method="post">
<input type="hidden" name="id" value="<?php echo
$_SESSION['form'];?>" />
[...more form code]
<input type="submit" name="submit" />
</form>
<?php
}
?>
Matthias
--
Matthias Kestenholz
http://blog.irregular.ch/
Powered by blists - more mailing lists