NYCPHP Meetup

[David Mintz]

I am a little confused about how my contact.php has been abused, or
whether the attack actually succeeded or just annoyed me.

There are fields for contact data such as phone number etc but these are
validated and then end up as part of the message body.

The To (site owner, and me) and Subject headers are hard-coded.  The
user-supplied email goes into Reply-to header as a convenience to the
ultimate human receiver. However, that email is validated against this
regex by HTML_QuickForm:

/^((\"[^\"\f\n\r\t\v\b]+\")|([\w\!\#\$\%\&\'\*\+\-\~\/\^\`\|\{\}]+(\.[\w\!\#\$\%\&\'\*\+\-\~\/\^\`\|\{\}]+)*))@((\[(((25[0-5])|(2[0-4][0-9])|([0-1]?[0-9]?[0-9]))\.((25[0-5])|(2[0-4][0-9])|([0-1]?[0-9]?[0-9]))\.((25[0-5])|(2[0-4][0-9])|([0-1]?[0-9]?[0-9]))\.((25[0-5])|(2[0-4][0-9])|([0-1]?[0-9]?[0-9])))\])|(((25[0-5])|(2[0-4][0-9])|([0-1]?[0-9]?[0-9]))\.((25[0-5])|(2[0-4][0-9])|([0-1]?[0-9]?[0-9]))\.((25[0-5])|(2[0-4][0-9])|([0-1]?[0-9]?[0-9]))\.((25[0-5])|(2[0-4][0-9])|([0-1]?[0-9]?[0-9])))|((([A-Za-z0-9\-])+\.)+[A-Za-z\-]+))$/


It isn't optimized for readability but I really don't think you can slip
newlines and "\r\nCc: whatever at example.org" and 'Content-type:...' in
there. Messages come to me like the following (site domain name changed
for discretion's sake). I looks like the nasty part only made it into the
message body. Does this nevertheless mean the mail function actually sent
mail to the now famous jrubin3546 at aol.com?

Date: 11 Sep 2005 16:55:58 -0000
From: webmaster at example.org
Reply-To: jkbfi at example.org
To: site-owner at example.org, dmintz at davidmintz.org
Subject: EXAMPLE Mailing List

The following request to be added to the EXAMPLE mailing list was
submitted via EXAMPLE.org on 11-Sep-2005 at 12:55 pm

jkbfi at example.org, jkbfi at example.org jkbfi at example.org
Content-Type: multipart/mixed; boundary="===============2144621942=="
MIME-Version: 1.0
Subject: a29babd0
To: jkbfi at example.org
bcc: jrubin3546 at aol.com
From: jkbfi at example.org

This is a multi-part message in MIME format.

--===============2144621942==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

bsmiaujtd
--===============2144621942==--
jkbfi at example.org
jkbfi at example.org
jkbfi at example.org
jkbfi at example.org
jkbfi at example.org, jkbfi at example.org jkbfi at example.org

Business phone jkbfi at example.org
Business fax   jkbfi at example.org
Cellular       jkbfi at example.org
Home phone     jkbfi at example.org
Email          jkbfi at example.org

[end example]

Meawhile I have hardened this script along the lines suggested by Hans Z
et al and started logging the state of the input after validation on every
invocation of the script, and these logs show that the bot is being
thwarted and the script is exiting harmlessly, so thank you very much.

I think it's time to propose some white-list style regexps instead of
trying to filter out the evil stuff (thanks Shiflett). For example, would
you agree that a proper name (of a person) in most any Western
European language ought to pass this test?

function checkProperName($name) {
    return preg_match("/[^a-zA-Z\xC0-\xFF .,'-]/",$name) == false;
}

---
David Mintz
http://davidmintz.org/