Discussion:
[Flora-help] [Fwd: Flaw in PHP scripts abused to send SPAM -- please check scripts...]
(too old to reply)
Russell McOrmond
2006-02-13 03:11:05 UTC
Permalink
If any FLORA.org people have PHP scripts they should check them for
this problem. If you aren't certain what this is about, and possibly
have a PHP form that sends email, then please ask here for details.

Unlike the AOL problem this is a situation where SPAM is being
generated by our servers because of bugs in PHP scripts.

-------- Original Message --------
Subject: Flaw in PHP scripts abused to send SPAM -- please check scripts...
Date: Sun, 12 Feb 2006 22:02:06 -0500
From: Russell McOrmond <***@flora.ca>
To: Status List <***@list.flora.ca>


The SPAM companies have found a way to abuse broken PHP scripts to
send their SPAM. The mail() function takes parameters which need to be
checked for return or other invalid characters if they come from (or are
built from) external variables (Post/get/etc).

http://ca3.php.net/manual/en/ref.mail.php

You *must* assume that any information received from the network is
suspect and check for things such as this. It doesn't matter what
limits you put on your forms (silly Javascript bounds checking) as they
don't need to use your forms in order to submit data to your PHP scripts.


I have disabled the mail() function on a number of virtual servers
that had broken scripts by changing the sendmail config as follows:

php_admin_value sendmail_path "/bin/true"
--
Russell McOrmond, Internet Consultant: <http://www.flora.ca/>
2415+ Canadians oppose Bill C-60 which protects antiquated Recording,
Movie and "software manufacturing" industries from modernization.
http://KillBillC60.ca Sign--> http://digital-copyright.ca/petition/
_______________________________________________
Status mailing list
***@list.flora.ca
http://list.flora.ca/mailman/listinfo/status
--
Russell McOrmond, Internet Consultant: <http://www.flora.ca/>
2415+ Canadians oppose Bill C-60 which protects antiquated Recording,
Movie and "software manufacturing" industries from modernization.
http://KillBillC60.ca Sign--> http://digital-copyright.ca/petition/
Rosaleen Dickson
2006-02-13 11:40:24 UTC
Permalink
All this about PHP (below) is beyond my compression.
I could ask, "what is PHP" but I really don't need to know.

I do know that mail is occasionally sent out from "***@flora.org"
that did not originate from me. This happens very seldom.
The way I know is because I get a message telling me it wasn't sent.
The first time that happened you told me to ignore it. I did;
and still do.
Cheers,
Rosaleen
Post by Russell McOrmond
If any FLORA.org people have PHP scripts they should check them for
this problem. If you aren't certain what this is about, and possibly
have a PHP form that sends email, then please ask here for details.
Unlike the AOL problem this is a situation where SPAM is being
generated by our servers because of bugs in PHP scripts.
-------- Original Message --------
Subject: Flaw in PHP scripts abused to send SPAM -- please check scripts...
Date: Sun, 12 Feb 2006 22:02:06 -0500
The SPAM companies have found a way to abuse broken PHP scripts to
send their SPAM. The mail() function takes parameters which need to be
checked for return or other invalid characters if they come from (or are
built from) external variables (Post/get/etc).
http://ca3.php.net/manual/en/ref.mail.php
You *must* assume that any information received from the network is
suspect and check for things such as this. It doesn't matter what
limits you put on your forms (silly Javascript bounds checking) as they
don't need to use your forms in order to submit data to your PHP scripts.
I have disabled the mail() function on a number of virtual servers
php_admin_value sendmail_path "/bin/true"
--
Russell McOrmond, Internet Consultant: <http://www.flora.ca/>
2415+ Canadians oppose Bill C-60 which protects antiquated Recording,
Movie and "software manufacturing" industries from modernization.
http://KillBillC60.ca Sign--> http://digital-copyright.ca/petition/
_______________________________________________
Status mailing list
http://list.flora.ca/mailman/listinfo/status
--
Russell McOrmond, Internet Consultant: <http://www.flora.ca/>
2415+ Canadians oppose Bill C-60 which protects antiquated Recording,
Movie and "software manufacturing" industries from modernization.
http://KillBillC60.ca Sign--> http://digital-copyright.ca/petition/
_______________________________________________
Flora-help mailing list
http://list.flora.org/mailman/listinfo/flora-help
Russell McOrmond
2006-02-13 15:39:23 UTC
Permalink
Post by Rosaleen Dickson
All this about PHP (below) is beyond my compression.
I could ask, "what is PHP" but I really don't need to know.
PHP is a scripting language that is used to do things like handle
forms and access databases. http://www.php.net

It is what underlies things such as
http://www.flora.org/ask-doctor/answers/ and some scripts you seem to
be experimenting with under http://www.flora.org/granny/ (I see a few
php scripts there).
Post by Rosaleen Dickson
that did not originate from me. This happens very seldom.
The way I know is because I get a message telling me it wasn't sent.
The first time that happened you told me to ignore it. I did;
and still do.
It is something to ignore as there isn't anything we can do about it.

There are things we can do something about, and we need to focus on
them. In the case of PHP scripts that send email, they have to be made
safe from abuse. This wasn't a problem in the past as there wasn't a
lot of abuse, but this abuse is now huge.


Peter Blanchard of http://planetfriendly.net sent the following
suggestion last night which I'll include here. The idea is to check any
variables you are going to include in the subject or headers to make
sure they don't include any problem strings.

There is a longer suggestion in the comments at
http://ca.php.net/manual/en/ref.mail.php


-----cut---

Russell,

Below is the code I ended up writing in December for this problem, with
sources noted. Feel free to share or post to flora-help/flora-status, if
appropriate. It may also not be the ultimate/bullet-proof solution,
although it seems to have stopped the hijacking at least for now. (If
you see any weaknesses in it, please let me know.)

- Peter


# ---------------------------------------------------------
# PHP segment to prevent spammer-hijacking of forms & scripts
# ---------------------------------------------------------
# Purpose: rejects any form input that contains newline
# characters in the first, second and fourth mail() parameters.
# Note: replace $to, $subject & $headers with actual variablenames from
your script
# Note: "testobob" is so you can test the script. You can remove those
lines if you like.
# Note: modify the "die" message to suit your site.
# More information:
# http://www.anders.com/projects/sysadmin/formPostHijacking/
# http://www.anders.com/cms/75/Crack.Attempt/Spam.Relay
# http://www.google.com/Top/Computers/Internet/Abuse/Spam/
# ---------------------------------------------------------

if ( ! (
stripos($to, "\n") === FALSE
and stripos($to, "\r") === FALSE
and stripos($to, "testobob") === FALSE
and stripos($subject, "\n") === FALSE
and stripos($subject, "\r") === FALSE
and stripos($subject, "testobob") === FALSE
and stripos($headers, "\n") === FALSE
and stripos($headers, "\r") === FALSE
and stripos($headers, "testobob") === FALSE
)) {
die("<p><font face=\"Arial\">A problem has occurred.
<br><br>Please <a href=\"http://www.MYSITE.COM/contact.html\">contact
us</a>
y e-mail or phone instead (and please let us know of the difficulty).
<br><br>Or click the <i>Back</i> button to try again.</font></p>");
}

# ---------------------------------------------------------

# corresponding mail() call goes here (or further down in the script)
# ....
--
Russell McOrmond, Internet Consultant: <http://www.flora.ca/>
2415+ Canadians oppose Bill C-60 which protects antiquated Recording,
Movie and "software manufacturing" industries from modernization.
http://KillBillC60.ca Sign--> http://digital-copyright.ca/petition/
Loading...