Hi,
On Mon, 2005-09-12 at 11:33 +0200, Michael Holzt wrote:
> Automated mass abuse of form mailers
[...]
> It is therefore advised to check the relevant data fields for newlines
> inserted and deny sending the mail if any are found. For example the
> vulnerable script shown above could be added by a check like this:
>
> | if ( eregi("\n",$_POST["email"]) || eregi("\r",$_POST["email"]) )
> | {
> | header("HTTP/1.0 403 Forbidden");
> | die("Spam attempt denied");
> | }
>
I am blocking these attempts using the following POC in PHP: (it's not
too nice but it works) It uses an unique ID stored in the session for
input validation.
<?php
$displayForm = true;
if( !isset( $_POST['submit'] ) ) {
if( !isset( $_SESSION['form'])) {
// set an unique id in the session
$_SESSION['form'] = md5(uniqid(time()));
}
} else {
// compare the submitted id and the id stored in the session;
// if they are not equal it was probably a scripted attempt
// to abuse the email form
if( $_POST['text']!='' && $_POST['id']==$_SESSION['form']) {
$text = "{$_POST['name']} ({$_POST['email']}) wrote:\n";
$text .= $_POST['text'];
// optional: do more checking
mail('[EMAIL PROTECTED]', 'Contact form', $text);
echo "Thank you!";
$displayForm = false;
}
}
if( $displayForm ) {
?>
<form method="post">
<input type="hidden" name="id" value="<?php echo
$_SESSION['form'];?>" />
[...more form code]
<input type="submit" name="submit" />
</form>
<?php
}
?>
Matthias
--
Matthias Kestenholz
http://blog.irregular.ch/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
