Greenguy's Board - View Single Post - do you use php's mail() command in any of your scripts?

cd34 · 2005-11-23, 11:49 AM

Do you have a comment form that you use to send yourself messages from your websites -- possibly to avoid spam? Did you get the code from the web or write it yourself?

There is a recent trend of spamming through comment forms. Your machine can be used to send spam if one is able to mangle data that is being sent to your comment form.

PHP isn't really the only language having this problem, but, so many people use PHP because it is 'quick and easy.' When they get it to work, they forget to validate the data that can be stuffed into the different fields in the comment form.

To use the mail command in PHP, its pretty easy:

Code:

mail("user@destination.com","subject of message","message body","From: ".$_REQUEST['sender']);

What most people writing PHP code don't realize is that the 4th parameter isn't just to set the address that the message came from. Most scripts set it to make it easy to reply to the email, but, you are actually setting a header. As a result, that header can be exploited to include Bcc:, Content-Type, etc.

So, if you have scripts on your sites using the mail() command, take a few minutes to check and see if the data that is used in that 4th parameter is validated prior to it being sent to the command. If that data isn't validated, a spammer can use your comment form against you.

In the above case, one might consider a construct such as:

Code:

$sender = $_REQUEST['sender'];
if (!(preg_match('/^(([a-z0-9&.-_+])|(\*))+@[a-z0-9\-]+\.([a-z0-9\-]+\.)*?[a-z]+$/is',$_REQUEST['email']))) {
    $sender = "sender email forged, possible spam attempt";
// or whatever error trapping you want to do here
}
mail("user@destination.com","subject of message","message body","From: $sender");

In any case, these vulnerabilities occur in dozens of scripts out there and recently have been used to send spam. Many of these scripts come from what most people would consider trusted sources.

Do yourself a favor and do a quick check on your comment forms to see if they might be subject to this exploit.

If you are using a perl cgi for your comment form and it calls '/usr/lib/sendmail -t' somewhere within, if certain fields are not validated, it can also be exploited.

Some of the tell-tale signs of this are getting dozens of emails in a night from a comment form which contain spammy messages.

2005-11-23, 11:49 AM	#1
cd34 a.k.a. Sparky Join Date: Sep 2004 Location: West Palm Beach, FL, USA Posts: 2,396	do you use php's mail() command in any of your scripts? Do you have a comment form that you use to send yourself messages from your websites -- possibly to avoid spam? Did you get the code from the web or write it yourself? There is a recent trend of spamming through comment forms. Your machine can be used to send spam if one is able to mangle data that is being sent to your comment form. PHP isn't really the only language having this problem, but, so many people use PHP because it is 'quick and easy.' When they get it to work, they forget to validate the data that can be stuffed into the different fields in the comment form. To use the mail command in PHP, its pretty easy: Code: mail("user@destination.com","subject of message","message body","From: ".$_REQUEST['sender']); What most people writing PHP code don't realize is that the 4th parameter isn't just to set the address that the message came from. Most scripts set it to make it easy to reply to the email, but, you are actually setting a header. As a result, that header can be exploited to include Bcc:, Content-Type, etc. So, if you have scripts on your sites using the mail() command, take a few minutes to check and see if the data that is used in that 4th parameter is validated prior to it being sent to the command. If that data isn't validated, a spammer can use your comment form against you. In the above case, one might consider a construct such as: Code: $sender = $_REQUEST['sender']; if (!(preg_match('/^(([a-z0-9&.-_+])\|(\))+@[a-z0-9\-]+\.([a-z0-9\-]+\.)?[a-z]+$/is',$_REQUEST['email']))) { $sender = "sender email forged, possible spam attempt"; // or whatever error trapping you want to do here } mail("user@destination.com","subject of message","message body","From: $sender"); In any case, these vulnerabilities occur in dozens of scripts out there and recently have been used to send spam. Many of these scripts come from what most people would consider trusted sources. Do yourself a favor and do a quick check on your comment forms to see if they might be subject to this exploit. If you are using a perl cgi for your comment form and it calls '/usr/lib/sendmail -t' somewhere within, if certain fields are not validated, it can also be exploited. Some of the tell-tale signs of this are getting dozens of emails in a night from a comment form which contain spammy messages. __________________ SnapReplay.com a different way to share photos - iPhone & Android