NYCPHP Meetup

NYPHP.org

[nycphp-talk] worm/virus's hammering feedback scripts?

Daniel Krook krook at us.ibm.com
Mon Sep 12 09:32:02 EDT 2005


> It's a particularly ingenuous method of taking advantage 
> of primarily the MIME standard.  I typically look for the 
> string 'Content-Type:' in any submitted fields, and if 
> it's found, the script records the IP and notifies me.

This is important, I found injections in ALL my fields, not just the 
obvious textarea fields.  Hidden and regular text boxes have been used as 
well, since this attack is automated and doesn't function as a normal 
browser would.


> Since it's my understanding that the exploitation can't 
> happen without the use of Content-Type: (the MIME header 
> that dictates part of a message's structure), something 
> like this has worked well:
> 
> foreach( $form_fields as $value )
> {
>   if( stripos($value,'Content-Type:') !== FALSE )
>   {
>     mail('admin at my.com','Spam Attempt',$_SERVER['REMOTE_ADDR']);
>     exit("{$_SERVER['REMOTE_ADDR']} Has been Recorded");
>   }
> }
> 

A PHP4 version of the above looks something like this, and seems to work:

if (strpos(strtolower($someField), 'content-type:') !== false) {
        mail('admin at example.net', 'Spam attempt from example.net', 
$_SERVER['REMOTE_ADDR']);
} else {
        mail('customerservice at example.net', 'Customer submission from 
example.net', $msg, $headers);
}


> Of course complete input filtering might be the better 
> solution to this.

Agreed.




Daniel Krook, Advisory IT Specialist 
Application Development, Production Services - Tools, ibm.com

Personal: http://info.krook.org/
BluePages: http://bluepages.redirect.webahead.ibm.com/
BlogPages: http://blogpages.redirect.webahead.ibm.com/




More information about the talk mailing list