homepage Welcome to WebmasterWorld Guest from 54.198.94.76
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

This 41 message thread spans 2 pages: < < 41 ( 1 [2]     
Combatting Webform hijack
wendystewart80




msg:1303808
 1:20 pm on Jun 14, 2006 (gmt 0)

My webform has been hijacked. Any suggestions how to make this form secure?:

<?php
$org=$_POST['org'];
$address1=$_POST['address1'];
$address2=$_POST['address2'];
$address3=$_POST['address3'];
$city=$_POST['city'];
$pcode=$_POST['postcode'];
$region=$_POST['region'];
$tel=$_POST['tel'];
$fax=$_POST['fax'];
$email=$_POST['email'];
$web=$_POST['web'];
$name=$_POST['name'];
$image=$_POST['image'];
$projdesc=$_POST["projdesc"];
$cats1=$_POST['cats1'];
$rate1=$_POST["rate1"];
$cats2=$_POST['cats2'];
$rate2=$_POST["rate2"];
$cats3=$_POST['cats3'];
$rate3=$_POST["rate3"];
$cats4=$_POST['cats4'];
$rate4=$_POST["rate4"];
$cats5=$_POST['cats5'];
$rate5=$_POST["rate5"];

$min_age=$_POST['agefrom'];
$max_age=$_POST['ageto'];
$gptext=$_POST['pracbite'];
$gptitle=$_POST['practitle'];
$gpc1=$_POST['gpc1'];
$rate1=$_POST["rate1"];
$gpc2=$_POST['gpc2'];
$rate2=$_POST["rate2"];
$gpc3=$_POST['gpc3'];
$rate3=$_POST["rate3"];
$gpc4=$_POST['gpc4'];
$rate4=$_POST["rate4"];
$gpc5=$_POST['gpc5'];
$rate5=$_POST["rate5"];
$praccontact=$_POST["praccontact"];

mail ("email address", "Practice Bite",
"New Practice Bite

Project Info:
Organisation: $org
Address: $address1
$address2
$address3
City: $city
Post code: $pcode
Region: $region
Tel: $tel
Fax: $fax
Email: $email
Web: $web
Contact Name: $name
Image: $image
Project Desc: $projdesc
C1: $cats1
R1: $rate1
C2: $cats2
R2: $rate2
C3: $cats3
R3: $rate3
C4: $cats4
R4: $rate4
C5: $cats5
C5: $rate5
Practice Example:
Min age: $min_age
Max age: $max_age
P Title; $gptitle
P Text: $gptext
P1: $gpc1
R1: $rate1
P2: $gpc2
R2: $rate2
P3: $gpc3
R3: $rate3
P4: $gpc4
R4: $rate4
P5: $gpc5
R5: $rate5
Contact Name: $praccontact"
);
echo ("<p>Your practice bite has been submitted.</p>
<p>Many thanks.</p>");
?>

 

isorg




msg:1303838
 7:53 am on Jul 5, 2006 (gmt 0)

DewChugr,

if ($_POST['token']!= $_SESSION['token'])

If the mail script was called remotely i.e. NOT from the website the form was residing on, the $_POST['token'] would be an empty string, as well as $_SESSION['token']... so the IF statement would evaluate as true and would be allowed.

You should therefore add at the begining:

if ($_POST['token']=="") exit; // who sent you here without a token?!?!

IanKelley




msg:1303839
 10:31 pm on Jul 5, 2006 (gmt 0)

Someone was asking for a quick summary on how the problem could be avoided so...

The original poster complained of being "hijacked" so I assume that spammers were using their form mail script to send spam to other people.

To avoid this:

- Remove line breaks or ctype_print test everything that goes into the email header (TO, FROM, SUBJECT, etc..). preg and ereg will work but str_replace is faster.

- Run stripslashes on everything.

- The TO addy should of course never be assigned by your form.

That's it. The above will solve the problem 100%. Based on my experience with live sites at any rate. There could of course be other injection methods I'm missing but, if so, spammers aren't using them yet.

The other problem that people have mentioned (automated posting just to send you spam) can only be solved 100% with captcha. The javascript encoding method isn't a bad idea but it means that anyone with javascript turned off can't use your form. Also, it's not hard to teach a bot to read javascript encoded HTML.

henry0




msg:1303840
 11:36 am on Jul 6, 2006 (gmt 0)

The other problem that people have mentioned (automated posting just to send you spam) can only be solved 100% with captcha.

100% is no longer a rock solid statement.
I do not have any example but web rumors tell me that it has been broken.

Any proof around?

dreamcatcher




msg:1303841
 12:09 pm on Jul 6, 2006 (gmt 0)

henry0, I`ve also heard rumours about the captcha not being as effective as it was, although from my own personal experience I`ve always found it pretty good.

Another easy solution and less server intense than the Captcha is to create a random simple sum and have people enter the total in a text box. I`ve found this to be very effective indeed.

dc

henry0




msg:1303842
 12:13 pm on Jul 6, 2006 (gmt 0)

Funny I never mentionned it
this is exactly my own solution.

le_gber




msg:1303843
 12:54 pm on Jul 6, 2006 (gmt 0)

dreamcatcher & henry0

I'm thinking of doing exactly that ... with a twist.

instead of 'just' having mathermatical queries to answer, I am thinking of creating a table with around 150 questions / answers to 'validate' a form.

something varied so it cannot be easily bot-guessed, but easy enough for 'thick' people to know the answer - like:

  • what day is the april's fool day
  • what animal is Mickey
  • if today was monday, what day would tomorrow be
  • how many dwarves was there in Snow White ...

    that's 4 already ;)

    would that be a good way of doing things?

  • henry0




    msg:1303844
     1:07 pm on Jul 6, 2006 (gmt 0)

    Pending on your target you can make it fit your customers/viewers profile
    for ex: targeting home/garden: Is crab-grass a seafood or a grass nuisance?
    If your users are very diversified it could be seen as an extra step

    jatar_k




    msg:1303845
     3:00 pm on Jul 6, 2006 (gmt 0)

    >> I`ve also heard rumours about the captcha not being as effective as it was, although from my own personal experience I`ve always found it pretty good.

    yeah captcha will still do the job and yes it has been cracked, I believe I saw the code actually, was a while ago

    bedlam




    msg:1303846
     5:37 pm on Jul 6, 2006 (gmt 0)

    I do not have any example but web rumors tell me that it has been broken.

    henry0, I`ve also heard rumours about the captcha not being as effective as it was, although from my own personal experience I`ve always found it pretty good.

    yeah captcha will still do the job and yes it has been cracked

    Captcha should just be one part of the defense:

    Several groups have created programs that can pass many CAPTCHAs over 80% of the time.
    Source [captcha.net] (see "Advancing AI")

    Everyone considering the use of a captcha solution should also be aware of the accessibility problems [webmasterworld.com] they may cause.

    -b

    IanKelley




    msg:1303847
     10:45 pm on Jul 6, 2006 (gmt 0)

    100% is no longer a rock solid statement.
    I do not have any example but web rumors tell me that it (CAPTCHA) has been broken.

    To clear up the misconception... CAPTCHA is not a thing, it's a blanket classification for a concept.

    It's not possible to say "CAPTCHA has been broken!" Hehe.

    Any system where you attempt to tell humans and computers apart by challenging them with some kind of interactive test is a CAPTCHA as long is it's entirely automated on your side.

    Asking a math (or other type of) question is as much a CAPTCHA as distorted numbers and letters. There are endless varieties of CAPTCHA type tests.

    As far as traditional image type CAPTCHAs go... The capability to write a program that can parse and interpret a graphic has been around since before the web. In that sense CAPTCHA was broken long before the acronym was coined.

    If you're clever, you can write a program to break a single CAPTCHA scheme. However, that program will only break that one CAPTCHA scheme and it will have taken you a lot of time and effort to write it.

    There is no program in existence that could spider the web and just break any CAPTCHA it found. There are just too many variations. The best you could do would be to create a program that can break some popular CAPTCHA implementation where a lot of webmasters have used the same code. If you were ambitious you could perhaps write something that would handle small variations (it might break all number/letter type CAPTCHAs where single color text on a single color background was used and the only obfuscation method involved warping).

    Having accomplished this you would (maybe) pull off breaking 5% of the CAPTCHAs encountered, and that's probably way too high a number.

    Someone posted about groups claiming to break "many" CAPTCHA systems with 80% success. What that means is that they have an app that can pass a very weak type of CAPTCHA implementation and even then still fails 20% of the time.

    If a spammer did take the huge amount of time to write the above program, the weak CAPTCHA systems it was able to break would quickly change to something else and the spammer would be back to square one.

    Basically, it's still safe to say that you can stop automated posting 100% with a creative CAPTCHA. :-)

    justgowithit




    msg:3002926
     6:29 pm on Jul 11, 2006 (gmt 0)

    Has anyone ever experimented with mod_rewrite.. RewriteCond to combat this issue?

    I haven't played around with it yet but it would be like passing a security variable through _$GET (graphic, math question, etc. like mentioned) back to the posting page and using a mod_rewrite RewriteCond to validate the URL.

    Throwing 404 errors would cause bots to drop the originating URL and you wouldn't bother visitors so much.

    This 41 message thread spans 2 pages: < < 41 ( 1 [2]
    Global Options:
     top home search open messages active posts  
     

    Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
    rss feed

    All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
    Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
    WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
    © Webmaster World 1996-2014 all rights reserved