homepage Welcome to WebmasterWorld Guest from 54.226.235.222
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
Header Injection Prevention
Do I need to test for upper case of to: cc: etc?
CDNQuilter




msg:3699165
 8:17 pm on Jul 15, 2008 (gmt 0)

I am tightening up my form security because a spammer has been hammering my site. Only a couple of goobledegook messages have slid by but the resource consumption irks me.

I test for header injection data by looking in name and particularly email fields for signs of header injection e.g. to: or cc: also attempts to upload a file e.g. MIME-Version:

My question.
Do I need to test for all upper and/or all lower case versions of the above?

I guess the real question is, in the absence of other tests would, e.g. MIME-VERSION: or mime-version: succeed in uploading a file?

I guess that I can test just to be sure but I don't want to bother if it is not an issue.

Even though my regex edit prevents this stuff from getting through, I test for the attempts and then ban the IP's attempting this in my .htaccess file.

Thanks
Jean

 

dreamcatcher




msg:3699295
 10:23 pm on Jul 15, 2008 (gmt 0)

You can limit the amount of data by using substr [php.net]

For cleaning the fields you could do something like:

$find = array(
"\r",
"\n",
"%0a",
"%0d",
"content-type:",
"Content-Type:",
"BCC:",
"CC:",
"boundary=",
"TO:",
"bcc:",
"to:",
"cc:"
);

$replace = array();

$name = str_replace($find,$replace,$name);
$email = str_replace($find,$replace,$email);

dc

CDNQuilter




msg:3699321
 10:58 pm on Jul 15, 2008 (gmt 0)

Yes, I know how to do it - I just want to know if I have to check for the capitalized versions of the strings.

According to your example, it appears that I do.

So I will just specify something like:

$find = array(
"\r",
"\n",
"%0a",
"%0d",
"Content-Type:",
"boundary=",
"to:",
"cc:"
);
and my test will be a variant of

if( $count = substr_count(strtoupper($_POST[ $field ]), strtoupper($badchr ) ){. . . do something . . .}

because this catches cc:, cC:, Cc: and CC:

(I don't bother with bcc: because cc: takes care of it.)

Thanks for responding
cheers
Jean

IanKelley




msg:3699498
 4:20 am on Jul 16, 2008 (gmt 0)

Good point about not needing bcc:.

A more elegant option, which should be slightly more resource efficient, would be to use PHP 5's str_ireplace. After all 6 is going to be out before too long, it's time to stop avoiding 5 :-)

Something else you might consider doing, in order to stop the spammer from consuming more resources, would be log all IPs which fail your header test and temporarily block them. If not in .htaccess then early in the script before it has outputted anything or executed any major code. Chances are he repeats his proxy list at some point.

CDNQuilter




msg:3699556
 6:10 am on Jul 16, 2008 (gmt 0)

Yes, I am trying to catch them early in the script.

I only use PHP 5 didn't learn PHP 4.

I would use str_ireplace but I'm not replacing. I don't particularly like if(stripos($x) !== false) but I suppose it would be nicer here than strtoupper !

eelixduppy




msg:3699562
 6:20 am on Jul 16, 2008 (gmt 0)

While you can look for specific headers within the text to prevent from header injection and then throw up flags when they are found, there is another, simple method. What I like to do is to replace all newline (\n) and carriage return (\r) characters with spaces to eliminate the possibility that multiple headers will be injected. This should be done for ALL mail inputs, too, including the subject. So something as simple as a str_replace:

$bad = array("\r", "\n");
$subject = str_replace($bad, ' ', $subject);
# etc...

It would also be a good idea that someone recieves a copy of the emails sent out from your server just to keep tabs on it for awhile. You wouldn't want anything going on without your knowledge. This will also allow you to see attemps at cracking your emailing script.

CDNQuilter




msg:3699588
 6:55 am on Jul 16, 2008 (gmt 0)

My script is pretty thoroughly tested by now - I am just adding things to catch the folks trying to crack it so that I can ban them in my .htaccess file.

I use regex edits that are very effective. No '\r or \n or %0a etc. will get through the edits - ALL input fields (except the message) have these regex edits. I don't allow tags or links in the message either.

But even though I'm pretty confident, I don't want these folks hammering away at it, wasting my resources and perhaps finding a weakness I hadn't thought of.

So now, I'm adding specific detectors and depending on what I detect, I am immediately adding the ip address to a local ban list - and from there I will move the worst offenders to be denied in .htaccess.

For one of my sites, I have considered banning certain country blocks but according to spamhaus, a LOT of spam originates in the US, much of it likely from compromised machines, so the country blocking just reduces the volume but doesn't fix the problem.

Really appreciate the help and replies here.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved