[Sussex] FW: Important message regarding PHP contact scripts

Steve Dobson steve at uthink.co.uk
Thu Dec 8 08:30:41 UTC 2005 

Guys

This came over the wire today.  I post it here so the word gets out.

Steve

----- Forwarded message -----

From: <anon>
Sent: 07 December 2005 22:10
To: <anon>
Subject: Important message regarding PHP contact scripts
Importance: High

if your website has a PHP based contact or feedback form this message
requires your immediate attention.
 
We have found that spammers are now targetting websites that have a
contact.php or sendmail.php page and using these scripts to send out
their spam.
 
The "hack" is a fairly basic one - The php mail() function takes
parameters such as "to", "from", "subject" etc. The values for these
parameters are passed in via a simple html form page.
 
However, if a spammer pastes in a whole load of email headers and spam
into your fields they can effectively hijack your script to use it to
spam countless others.
 
<snip actions taken by sender - not approprate> 

Fixes
-----
 
There are a number of "fixes" which we have found discussed on the web.
Please do not contact us regarding fixing your scripts as we are unable
to get involved in any coding/design issues.
 
1. Ensure the PHP script sets headers correctly.
 
   Make sure you end your headers with \r\n\r\n. 
 
   change $headers .= "From: " . $from . "\r\n"; 
   to 
          $headers .= "From: " . $from . "\r\n\r\n"; 
 

2. Filter form inputs for any unwanted strings eg bcc headers
 
   // Strip \r and \n from the email address 
 
   $_POST['email'] = preg_replace("\r", "", $_POST['email']); 
   $_POST['email'] = preg_replace("\n", "", $_POST['email']); 
 
   // Remove injected headers 
 
   $find = array("/bcc\:/i","/Content\-Type\:/i","/cc\:/i","/to\:/i"); 
 
   $_POST['email'] = preg_replace($find, "", $_POST['email']); 
   $comments = preg_replace($find, "", comments); 
 

3. Set a session on your form input page and check for this session in
your PHP mailer. The spammers normally POST data straight to the PHP
script so would be missing the session.
 
4. Check HTTP_REFERER values to ensure the data being posted to your PHP
script has come from your form.
 
5. Don't call your script contact.php or sendmail.php or the form
contact.htm. Spammers use automated systems to identify sites which have
these files present.
 

There are others discussed but the most effective seem to be a
combination of the above. We suggest using google groups and searching
for terms like "PHP mail spammer contact.php". A good resource is
available at :
http://securephp.damonkohler.com/index.php/Email_Injection
 
Again, we apologise for any inconvience caused and trust you understand
why we have taken this course of action.
 
Kind Regards

----- End forwarded message -----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://mailman.lug.org.uk/pipermail/sussex/attachments/20051208/b0bb0350/attachment.pgp

More information about the Sussex mailing list