homepage Welcome to WebmasterWorld Guest from 50.17.66.61
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
Weird Form Responses
is This a Security Risk?
claimsweb

10+ Year Member



 
Msg#: 3207828 posted 12:02 pm on Jan 4, 2007 (gmt 0)

I use php feedback forms on my sites - they are info based and not blog related

They are well packaged and supposedly very secure with various elements in place to reduce exposure to things such as injection viruses etc

In the last month I have noticed a couple of enquiries coming in that are obvious spam but the coding is so weird that it suggests something more sinister than an automated link drop.

Ive received a few today with the following quoted in the comments box:

You did this great job here!
chsbs.example.edu/iopa/_disc1/00000189.ht
m?cialis
cialis [chsbs.]
href=\"http://www.chsbs. example.edu/iopa/_disc1/0000
0189.htm?cialis\">cialis

Can anyone confirm whether these forms are just misdirected link spam aimed at blog comment software. Or something more worrying?

Is there any mechanism thru which a hacker can cause damage to your site or even hijack it thru the php response form?

Any advice much appreciated

[edited by: jatar_k at 2:46 pm (utc) on Jan. 4, 2007]
[edit reason] examplified url [/edit]

 

cmarshall

WebmasterWorld Senior Member 5+ Year Member



 
Msg#: 3207828 posted 12:53 pm on Jan 4, 2007 (gmt 0)

Looks like classic link spam. Those are just complex URIs. Nothing too sinister (for spam).

barns101

5+ Year Member



 
Msg#: 3207828 posted 1:55 pm on Jan 4, 2007 (gmt 0)

Nothing to worry about. I used to get similar emails, but now I filter out any email with "<a href=" or "[url=" in it.

alfaguru

5+ Year Member



 
Msg#: 3207828 posted 2:53 pm on Jan 4, 2007 (gmt 0)

Is there any mechanism thru which a hacker can cause damage to your site or even hijack it thru the php response form?

Not with this sort of spam but you ought to be aware of the potential security holes that exist. You should make sure that the PHP option register_globals is off and that your script does not require it, and that any input data is properly escaped before being processed (the classic mistake being to take input data and use it in an SQL query without ensuring all special characters are escaped).

If as you say your form is secure then the developer will have thought about these matters, but if, for example, the forms were developed by a skilled developer then adapted by a novice for your particular purpose it is entirely possible that loopholes will have been introduced.

claimsweb

10+ Year Member



 
Msg#: 3207828 posted 11:17 am on Jan 5, 2007 (gmt 0)

Very much appreciate your replies - seems that this might just be a pathetic attempt at link spam

I have received some more today and it becomes increasingly more bizarre:

"hamContent-Transfer-Encoding: quoted-printableContent-Type: text/htmlSubject: that time itbcc: lianna@example.comry cured hams require a prolonged period of rehydration prior to consumptio=n=2E wet cured ham has been cured with a brine, either by immersion or inje=ction. he679c4c6da97a5d98679c46e1634a8c40."

Is there a big market for cured ham on the web?

Curiously theyve targetted only one page on a large site to send in these nonsensical forms

Had a few that mention "transfer-encoding" and I dont like seeing the word "inje=ction" but right now Im not going to lose any sleep over it.

[edited by: jatar_k at 2:25 pm (utc) on Jan. 5, 2007]
[edit reason] examplified [/edit]

inveni0

5+ Year Member



 
Msg#: 3207828 posted 1:29 pm on Jan 5, 2007 (gmt 0)

Many spam agents send out what I call 'recon units' with the intent of finding valid email addresses or working forms to hijack. One of my clients was getting spam through their email form. I fixed it easily by changing the field names to something really bizarre...then, the bots didn't know what to put where, or that it was even a form that would email.

jatar_k

WebmasterWorld Administrator jatar_k us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 3207828 posted 2:26 pm on Jan 5, 2007 (gmt 0)

it looks like standard spam, a lot of gibberish (though well constructed gibberish) to beat email anti spam filters.

you should look at the message source from some of the spam you get, you will see tons of this kind of stuff.

claimsweb

10+ Year Member



 
Msg#: 3207828 posted 2:52 pm on Jan 8, 2007 (gmt 0)

Sorry to drag this out but Ive seen a new development today that does worry me

On my enquiry form email response that we receive from the customer I have a subject line that is different on every page - so for example you would have:

Widget enquiry - BLUE
Widget enquiry - RED

Now today Ive seen that the spammers are somehow managing to amend the subject line text which is embedded within the html on the page -its not hidden at all but is simply quoted within the >name="postedfrom" value=< attribute

Is this something that needs fixing? If they can change this does it suggest a wider problem or is the subject line in this context easy to adjust provided its visible on the html of the page?

It really makes no sense to me but I guess these aholes may be wrongly assuming that the form is a "comment" blog form and therefore links will be enabled on posting

Thanks for all your comments so far

jatar_k

WebmasterWorld Administrator jatar_k us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 3207828 posted 3:23 pm on Jan 8, 2007 (gmt 0)

take a look through these threads from our PHP Library [webmasterworld.com]

Combatting Webform Hijack [webmasterworld.com]

PHP Security [webmasterworld.com]

it looks like you aren't properly cleaning the form input. If they are changing the subjects then that is a rather serious problem.

cmarshall

WebmasterWorld Senior Member 5+ Year Member



 
Msg#: 3207828 posted 3:57 pm on Jan 8, 2007 (gmt 0)

I scan my forms for headers in the subject and body. To addresses cannot be entered directly, but are matched up to database entries after the fact.

If I find any headers, the email doesn't get sent, and a "Tastes Like SPAM" message is shown. The same for blank subjects and bodies (the typical "ping" message from spammers testing the waters).

StupidScript

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 3207828 posted 9:35 pm on Jan 8, 2007 (gmt 0)

Also check for form processing requests from an alien domain/IP (like a request for the result page from an address that didn't also request the form page). Sometimes spammers take a copy of a form page and attempt to modify and use it from their own server, processing it through your server, if possible. If you can, on the result page, check to make sure the request came from your server's IP only and reject any other requests.

claimsweb

10+ Year Member



 
Msg#: 3207828 posted 10:21 am on Jan 11, 2007 (gmt 0)

Thanks again for the replies

Business levels are normal and forms are still coming in so Im shocked that the issues raised are serious. Clearly though Im not going to sit here and wait for things to go bang.

Main problem I have is that I am not a programmer and I have insufficient knowledge to deal with these key security issues myself.

Instead I will need to outsource and my preference is to simply start over with a new form. Its cheaper and I think Id feel more comfortable doing this.

I have been speaking to some programmers about a more advanced form and as usual you are torn between losing customers because the form is too complex or keeping things secure by adding for example image verification etc. Im going to opt for the latter because I cant risk any more problems like this.

Can anyone recommend a secure form mechanism - CAPTCHA has been mentioned to me as one such option

Many thanks

coopster

WebmasterWorld Administrator coopster us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 3207828 posted 12:46 pm on Jan 11, 2007 (gmt 0)

There is a resourceful thread in the Accessibility and Usability Forum [webmasterworld.com] here at WebmasterWorld that answers the question Is < CAPTCHA > accessible and usable? [webmasterworld.com] In that discussion there are alternatives and links to discussions on the alternatives.

claimsweb

10+ Year Member



 
Msg#: 3207828 posted 4:18 pm on Jan 11, 2007 (gmt 0)

Many thanks coopster

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved