FLORA Community WEB:
 Who we are   Organizations   Get Involved!   Helpdesk 
 Weblog   About FLORA   Server project   F.A.Q. 

Election 2006 (and beyond): Digital Copyright Canada

The FLORA Help Desk

Read: [next] [previous] message

Re: [Flora-help] [Fwd: Flaw in PHP scripts abused to send SPAM --please check scripts...]

From: Russell McOrmond <russell_-at-_flora.ca>
To: "FLORA.org helpdesk" <flora-help_-at-_list.flora.org>
Date: Mon, 13 Feb 2006 10:37:54 -0500
References: <43EFF891.70206@flora.ca> <43F07011.37192749@flora.org> 

Rosaleen Dickson wrote:
> All this about PHP (below) is beyond my compression.
> I could ask, "what is PHP" but I really don't need to know.

   PHP is a scripting language that is used to do things like handle 
forms and access databases.   http://www.php.net

   It is what underlies things such as 
http://www.flora.org/ask-doctor/answers/  and some scripts you seem to 
be experimenting with under http://www.flora.org/granny/ (I see a few 
php scripts there).

> I do know that mail is occasionally sent out from "rosaleen@flora.org"
> that did not originate from me. This happens very seldom.
> The way I know is because I get a message telling me it wasn't sent.
> The first time that happened you told me to ignore it.  I did;
> and still do.

   It is something to ignore as there isn't anything we can do about it.

   There are things we can do something about, and we need to focus on 
them.   In the case of PHP scripts that send email, they have to be made 
safe from abuse.   This wasn't a problem in the past as there wasn't a 
lot of abuse, but this abuse is now huge.


   Peter Blanchard of http://planetfriendly.net  sent the following 
suggestion last night which I'll include here.  The idea is to check any 
variables you are going to include in the subject or headers to make 
sure they don't include any problem strings.

   There is a longer suggestion in the comments at 
http://ca.php.net/manual/en/ref.mail.php


-----cut---

Russell,

Below is the code I ended up writing in December for  this problem, with 
sources noted. Feel free to share or post to flora-help/flora-status, if 
appropriate. It  may also not be the ultimate/bullet-proof solution, 
although it seems to have stopped the hijacking at least for now.  (If 
you see any weaknesses in it, please let me know.)

            - Peter


# ---------------------------------------------------------
# PHP segment to prevent spammer-hijacking of forms & scripts
# ---------------------------------------------------------
# Purpose: rejects any form input that contains newline
# characters in the first, second and fourth mail() parameters.
# Note: replace $to, $subject & $headers with actual variablenames from 
your script
# Note: "testobob" is so you can test the script. You can remove those 
lines if you like.
# Note: modify the "die" message to suit your site.
# More information:
# http://www.anders.com/projects/sysadmin/formPostHijacking/
# http://www.anders.com/cms/75/Crack.Attempt/Spam.Relay
# http://www.google.com/Top/Computers/Internet/Abuse/Spam/
# ---------------------------------------------------------

if ( ! (
stripos($to, "\n") === FALSE
and stripos($to, "\r") === FALSE
and stripos($to, "testobob") === FALSE
and stripos($subject, "\n") === FALSE
and stripos($subject, "\r") === FALSE
and stripos($subject, "testobob") === FALSE
and stripos($headers, "\n") === FALSE
and stripos($headers, "\r") === FALSE
and stripos($headers, "testobob") === FALSE
)) {
   die("<p><font face=\"Arial\">A problem has occurred.
<br><br>Please <a href=\"http://www.MYSITE.COM/contact.html\">contact 
us</a>
y e-mail or phone instead (and please let us know of the difficulty).
<br><br>Or click the <i>Back</i> button to try again.</font></p>");
}

# ---------------------------------------------------------

# corresponding mail() call goes here (or further down in the script)
# ....


-- 
  Russell McOrmond, Internet Consultant: <http://www.flora.ca/>
  2415+ Canadians oppose Bill C-60 which protects antiquated Recording,
  Movie and "software manufacturing" industries from modernization.
  http://KillBillC60.ca    Sign--> http://digital-copyright.ca/petition/
_______________________________________________
Flora-help mailing list
Flora-help@list.flora.org
http://list.flora.org/mailman/listinfo/flora-help
Read: [next] [previous] message
List: [newer] [older] articles
Please read the FLORA.org Terms and Conditions before you submit information to FLORA.org
Join the Blue Ribbon Online Free Speech Campaign
(USA) (Canada) 		FLORA Community Web (FLORA.ORG) is sponsored by FLORA Community Consulting (FLORA.CA).