PDA

View Full Version : mailsend.php


bmartin
02-12-2007, 07:36 PM
I was told that our script mailsend.php was harvested and is automatically sending SPAM e-mails spoofing our email domain. We have been shut down by our ISP because of this - although we're back up now.
Is this possible - the submit form has been in place for years.
If it is a possibility - how do I fix it to prevent it from happening again.
B-

davidj
02-12-2007, 08:06 PM
post the code of your mail script

bmartin
02-12-2007, 08:17 PM
<?

if (!$subject){
$subject="Email from ".$SERVER_NAME.$SCRIPT_NAME;
}

if (!$realname){
$realname="Web User";
}

if (!$email){
$email="php@lsw.com";
}

if (!$redirect){
$redirect="http://".$SERVER_NAME;
}

$mailheaders="From: \"$realname\" <$email>\r\n";
$mailheaders.="Reply-To: $email\r\n\r\n";

if (!$formdata){
$mailbody="No Form Data\r\n";
} else {
$mailbody=stripslashes($subject).":\r\n\r\n";
$newformdata=explode(" ", $formdata);
for ($Loop=0; $Loop<count($newformdata); $Loop++){
eval("\$newdata=\$".$newformdata[$Loop].";");
$mailbody.=$newformdata[$Loop].":\t $newdata \r\n";
}
}


$newRecipients=explode(" ", $_POST["recipient"]);
for ($Loop=0; $Loop<count($newRecipients); $Loop++){
$newRecipients[$Loop]=str_replace("*", "@", $newRecipients[$Loop]);
$newRecipients[$Loop]=str_replace("^", ".", $newRecipients[$Loop]);
if ($newRecipients[$Loop]){
$mailsent=mail($newRecipients[$Loop], stripslashes($subject), stripslashes($mailbody), stripslashes($mailheaders));
} else {
$mailsent=$mailsent & false;
}
}

if ($mailsent){
Header("Location: $redirect");
} else {
print ("<html><head><title>Error Sending Mail</title></body><body>Error Sending Mail</body>");
}

?>

davidj
02-12-2007, 09:29 PM
you have been attacked using a mail header injection

your script is poorly written and contains allot of \r\n before they are needed

this could be used as a weak point of attack.

you need to rethink this script and then check each form field $var for the following \r\n


$from = $_POST["sender"];
$from = urldecode($from);
if (eregi("(\r|\n)", $from)) {
die("Why ?? :(");
}


if any are found before you commit the mail() then the mail will fail

davidj
02-12-2007, 09:33 PM
some good reading

http://www.securephpwiki.com/index.php/Email_Injection

fwr1000
02-12-2007, 10:02 PM
Does the script by Ramandeep in his tut prevent the injections?

Fred

davidj
02-12-2007, 10:13 PM
no

you need to validate the input

Ram's script is just a basic startup and go script

bmartin
02-13-2007, 12:48 PM
OK - I'm sort of confused. I'm new at this and struggling just to get by.

I found a tutorial on how to filter user input on my .php forms. I copied, pasted and changed the fields that I needed to. The form works, but I don't really understand where the mailsend comes into play, because I didnt change anything in that file.

Sorry - but maybe I need a beginner tutorial...

domedia
02-13-2007, 02:25 PM
If you understand PHP, use davidjs link above to learn more about the php mail function. If you don't know PHP or the email protocol, you should start reading up on this asap. There's plenty of tutorials on this online. Davidj had made a very nice begginer series on http://www.dreamweaverclub.com/vtm/
If your form is still used for spam, find someone to fix it for you , like a local web dev guy.

kona72
02-13-2007, 03:28 PM
hey Guys....

Maybe a dumb question... but after reading this post I got to wondering. Is there anyway to tell if a form has been hi-jacked using email injection besides the obvious having your host shut you down?

davidj
02-13-2007, 03:44 PM
you might get some weird emails from the form with test data when the hacker or bot tests the script for holes

best bet is to validate all input before sending or failing rather than wait to be hacked

proactive rather than reactive