1
agf8623
Spammer trying to hijack my Contact Form! :(
  • 2005/9/10 15:41

  • agf8623

  • Just popping in

  • Posts: 59

  • Since: 2004/5/15


A spammer has been testing my contact form in an attempt to send spam through my site to a list of email addresses. Somehow, the guy automatically inserts a CC an BCC into the email message and away the spam goes!

I found an article on the type of attack I'm experiencing, and it says I need to add two lines into my PHP email header. The only problem is that I don't know where this is in my XOOPS structure. Could a XOOPS guru help me out here?

Here is the code I'm supposed to put into my email header:
$_POST['email'] = preg_replace("\r", "", $_POST['email']);
$_POST['email'] = preg_replace("\n", "", $_POST['email']);

Here is the article I read about the attack:
http://www.anders.com/projects/sysadmin/formPostHijacking/

2
Peekay
Re: Spammer trying to hijack my Contact Form! :(
  • 2005/9/10 17:51

  • Peekay

  • XOOPS is my life!

  • Posts: 2335

  • Since: 2004/11/20


This is a good question. I suppose this problem would affect the XOOPS 'contact' form and also modules like Liaise. Anyone know how to apply the suggested fix in both (unless Liaise already has this covered?)
A thread is for life. Not just for Christmas.

3
Dave_L
Re: Spammer trying to hijack my Contact Form! :(
  • 2005/9/10 18:23

  • Dave_L

  • XOOPS is my life!

  • Posts: 2277

  • Since: 2003/11/7


Those calls to preg_replace are invalid; the pattern delimiters are missing.

I would use this instead:

$_POST['email'] = preg_replace('/\s/', '', $_POST['email']);

That will remove all whitespace characters, including \r and \n.

As far as where to put it, you'd have to look at the script to see where it references $_POST['email'].

Actually, it might be better to just abort the script if an invalid character is detected in the email address:

preg_match('/\s/', $_POST['email']) and die('123');

4
agf8623
Re: Spammer trying to hijack my Contact Form! :(
  • 2005/9/11 14:46

  • agf8623

  • Just popping in

  • Posts: 59

  • Since: 2004/5/15


So just to make sure I'm on the right page, I need to enter this in my form's validation javascript?

Thanks much!

5
Dave_L
Re: Spammer trying to hijack my Contact Form! :(
  • 2005/9/11 15:48

  • Dave_L

  • XOOPS is my life!

  • Posts: 2277

  • Since: 2003/11/7


No, you would put that in the .php file that processes the submitted form and sends the email.

6
agf8623
Re: Spammer trying to hijack my Contact Form! :(
  • 2005/9/12 1:29

  • agf8623

  • Just popping in

  • Posts: 59

  • Since: 2004/5/15


I should have stated this in my first post, but I'm a newbie to PHP and I need a little help getting up to speed.

Is this the file that I need to be working with:
\class\mail\phpmailer\class.phpmailer.php

Thanks!
ama

7
ultimike
Re: Spammer trying to hijack my Contact Form! :(
  • 2006/3/14 21:30

  • ultimike

  • Just popping in

  • Posts: 13

  • Since: 2004/4/21


So did the fix solve your spam problem? I think the same thing is happening to me. Can you provide the details on the fix you used?

Thanks,
-mike

8
justjeff
Re: Spammer trying to hijack my Contact Form! :(
  • 2006/3/14 21:34

  • justjeff

  • Just popping in

  • Posts: 81

  • Since: 2006/1/16


I use this contact form

it is anti-spam
Jeff

9
McNaz
Re: Spammer trying to hijack my Contact Form! :(
  • 2006/3/15 13:13

  • McNaz

  • Just can't stay away

  • Posts: 574

  • Since: 2003/4/21


Quote:

A spammer has been testing my contact form in an attempt to send spam through my site to a list of email addresses. Somehow, the guy automatically inserts a CC an BCC into the email message and away the spam goes!


I read this last night and it scared the sh*t out of me.

I've got a few XOOPS sites setup and the thought if this happening on any of them scared me even more!!

I decided to look at the contact form's code (index.php v1.12.12.1) and:

$xoopsMailer->setToEmails($xoopsConfig['adminmail']);
    
$xoopsMailer->setFromEmail($usersEmail);
    
$xoopsMailer->setFromName($xoopsConfig['sitename']);
    
$xoopsMailer->setSubject($subject);
    
$xoopsMailer->setBody($adminMessage);


I can see that there is no way to change the destination (at least how I understand it, because of

$xoopsMailer->setToEmails($xoopsConfig['adminmail']);


This is always sent to the adminmail email. I also can't see how a CC or a BCC can be injected into the $xoopMail->setToEmails() method.

The $usersEmail does get checked for validity in:

if ( ! ( $usersEmail checkEmail$myts->stripSlashesGPC($_POST['usersEmail']) ) ) ) {
        
redirect_headerXOOPS_URL "/modules/" $xoopsModule->getVar('dirname') . "/index.php"2_CT_INVALIDMAIL );
        exit();
    }


So tried keying in two email addresses separated by /n or /n and sure enough the check caught it.

Checking out xoopsmailer.php

$this->headers[] = "Return-Path: ".$this->fromEmail;


So this can be fooled if $this->fromEmail contains email+carriage return+CC:email or BCC:email.

So it does depends how well the $userEmail check works.

function checkEmail($email,$antispam false)
{
    if (!
$email || !preg_match("/^[_a-z0-9-]+(.[_a-z0-9-]+)*@[a-z0-9-]+([.][a-z0-9-]+)+$/i",$email)){
        return 
false;
    }
    if (
$antispam) {
        
$email str_replace("@"" at "$email);
        
$email str_replace("."" dot "$email);
    }
    return 
$email;
}


I can see that the code checks for a valid email, using the given regex pattern. I am no expert in regex but I ran a few tests and the following emails failed.

test@test.comnCC:test@test2.com    Invalid email
test
@test.comrCC:test@test2.com    Invalid email
"test@test.comrCC:test@test2.com"    Invalid email


From my basic (and quick) investigation, I cannot see how this can be possible via the contact form.

Could I ask someone more knowledgeable than me in regex and phpmailer to please look at this.

Cheers.

McNaz.

10
Dave_L
Re: Spammer trying to hijack my Contact Form! :(
  • 2006/3/15 18:42

  • Dave_L

  • XOOPS is my life!

  • Posts: 2277

  • Since: 2003/11/7


Is the subject also sanitized?

I have a non-XOOPS contact form on another site that I coded myself. Lately I've been getting frequent attempts to hijack it for spamming. But the spammer's BCC's just get put into the body, rather than the headers, so I'm the only one who receives it. When I get around to it, I plan on adding a simple CAPTCHA.

Login

Who's Online

281 user(s) are online (207 user(s) are browsing Support Forums)


Members: 0


Guests: 281


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits