Welcome to WebmasterWorld Guest from 23.20.241.155

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

Combatting Webform hijack

     
1:20 pm on Jun 14, 2006 (gmt 0)

5+ Year Member



My webform has been hijacked. Any suggestions how to make this form secure?:

<?php
$org=$_POST['org'];
$address1=$_POST['address1'];
$address2=$_POST['address2'];
$address3=$_POST['address3'];
$city=$_POST['city'];
$pcode=$_POST['postcode'];
$region=$_POST['region'];
$tel=$_POST['tel'];
$fax=$_POST['fax'];
$email=$_POST['email'];
$web=$_POST['web'];
$name=$_POST['name'];
$image=$_POST['image'];
$projdesc=$_POST["projdesc"];
$cats1=$_POST['cats1'];
$rate1=$_POST["rate1"];
$cats2=$_POST['cats2'];
$rate2=$_POST["rate2"];
$cats3=$_POST['cats3'];
$rate3=$_POST["rate3"];
$cats4=$_POST['cats4'];
$rate4=$_POST["rate4"];
$cats5=$_POST['cats5'];
$rate5=$_POST["rate5"];

$min_age=$_POST['agefrom'];
$max_age=$_POST['ageto'];
$gptext=$_POST['pracbite'];
$gptitle=$_POST['practitle'];
$gpc1=$_POST['gpc1'];
$rate1=$_POST["rate1"];
$gpc2=$_POST['gpc2'];
$rate2=$_POST["rate2"];
$gpc3=$_POST['gpc3'];
$rate3=$_POST["rate3"];
$gpc4=$_POST['gpc4'];
$rate4=$_POST["rate4"];
$gpc5=$_POST['gpc5'];
$rate5=$_POST["rate5"];
$praccontact=$_POST["praccontact"];

mail ("email address", "Practice Bite",
"New Practice Bite

Project Info:
Organisation: $org
Address: $address1
$address2
$address3
City: $city
Post code: $pcode
Region: $region
Tel: $tel
Fax: $fax
Email: $email
Web: $web
Contact Name: $name
Image: $image
Project Desc: $projdesc
C1: $cats1
R1: $rate1
C2: $cats2
R2: $rate2
C3: $cats3
R3: $rate3
C4: $cats4
R4: $rate4
C5: $cats5
C5: $rate5
Practice Example:
Min age: $min_age
Max age: $max_age
P Title; $gptitle
P Text: $gptext
P1: $gpc1
R1: $rate1
P2: $gpc2
R2: $rate2
P3: $gpc3
R3: $rate3
P4: $gpc4
R4: $rate4
P5: $gpc5
R5: $rate5
Contact Name: $praccontact"
);
echo ("<p>Your practice bite has been submitted.</p>
<p>Many thanks.</p>");
?>

7:53 am on Jul 5, 2006 (gmt 0)

10+ Year Member



DewChugr,

if ($_POST['token']!= $_SESSION['token'])

If the mail script was called remotely i.e. NOT from the website the form was residing on, the $_POST['token'] would be an empty string, as well as $_SESSION['token']... so the IF statement would evaluate as true and would be allowed.

You should therefore add at the begining:

if ($_POST['token']=="") exit; // who sent you here without a token?!?!
10:31 pm on Jul 5, 2006 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Someone was asking for a quick summary on how the problem could be avoided so...

The original poster complained of being "hijacked" so I assume that spammers were using their form mail script to send spam to other people.

To avoid this:

- Remove line breaks or ctype_print test everything that goes into the email header (TO, FROM, SUBJECT, etc..). preg and ereg will work but str_replace is faster.

- Run stripslashes on everything.

- The TO addy should of course never be assigned by your form.

That's it. The above will solve the problem 100%. Based on my experience with live sites at any rate. There could of course be other injection methods I'm missing but, if so, spammers aren't using them yet.

The other problem that people have mentioned (automated posting just to send you spam) can only be solved 100% with captcha. The javascript encoding method isn't a bad idea but it means that anyone with javascript turned off can't use your form. Also, it's not hard to teach a bot to read javascript encoded HTML.

11:36 am on Jul 6, 2006 (gmt 0)

WebmasterWorld Senior Member henry0 is a WebmasterWorld Top Contributor of All Time 10+ Year Member



The other problem that people have mentioned (automated posting just to send you spam) can only be solved 100% with captcha.

100% is no longer a rock solid statement.
I do not have any example but web rumors tell me that it has been broken.

Any proof around?

12:09 pm on Jul 6, 2006 (gmt 0)

WebmasterWorld Senior Member dreamcatcher is a WebmasterWorld Top Contributor of All Time 10+ Year Member



henry0, I`ve also heard rumours about the captcha not being as effective as it was, although from my own personal experience I`ve always found it pretty good.

Another easy solution and less server intense than the Captcha is to create a random simple sum and have people enter the total in a text box. I`ve found this to be very effective indeed.

dc

12:13 pm on Jul 6, 2006 (gmt 0)

WebmasterWorld Senior Member henry0 is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Funny I never mentionned it
this is exactly my own solution.
12:54 pm on Jul 6, 2006 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



dreamcatcher & henry0

I'm thinking of doing exactly that ... with a twist.

instead of 'just' having mathermatical queries to answer, I am thinking of creating a table with around 150 questions / answers to 'validate' a form.

something varied so it cannot be easily bot-guessed, but easy enough for 'thick' people to know the answer - like:

  • what day is the april's fool day
  • what animal is Mickey
  • if today was monday, what day would tomorrow be
  • how many dwarves was there in Snow White ...

    that's 4 already ;)

    would that be a good way of doing things?

  • 1:07 pm on Jul 6, 2006 (gmt 0)

    WebmasterWorld Senior Member henry0 is a WebmasterWorld Top Contributor of All Time 10+ Year Member



    Pending on your target you can make it fit your customers/viewers profile
    for ex: targeting home/garden: Is crab-grass a seafood or a grass nuisance?
    If your users are very diversified it could be seen as an extra step
    3:00 pm on Jul 6, 2006 (gmt 0)

    WebmasterWorld Administrator jatar_k is a WebmasterWorld Top Contributor of All Time 10+ Year Member



    >> I`ve also heard rumours about the captcha not being as effective as it was, although from my own personal experience I`ve always found it pretty good.

    yeah captcha will still do the job and yes it has been cracked, I believe I saw the code actually, was a while ago

    5:37 pm on Jul 6, 2006 (gmt 0)

    WebmasterWorld Senior Member 10+ Year Member



    I do not have any example but web rumors tell me that it has been broken.

    henry0, I`ve also heard rumours about the captcha not being as effective as it was, although from my own personal experience I`ve always found it pretty good.

    yeah captcha will still do the job and yes it has been cracked

    Captcha should just be one part of the defense:

    Several groups have created programs that can pass many CAPTCHAs over 80% of the time.
    Source [captcha.net] (see "Advancing AI")

    Everyone considering the use of a captcha solution should also be aware of the accessibility problems [webmasterworld.com] they may cause.

    -b

    10:45 pm on Jul 6, 2006 (gmt 0)

    WebmasterWorld Senior Member 10+ Year Member



    100% is no longer a rock solid statement.
    I do not have any example but web rumors tell me that it (CAPTCHA) has been broken.

    To clear up the misconception... CAPTCHA is not a thing, it's a blanket classification for a concept.

    It's not possible to say "CAPTCHA has been broken!" Hehe.

    Any system where you attempt to tell humans and computers apart by challenging them with some kind of interactive test is a CAPTCHA as long is it's entirely automated on your side.

    Asking a math (or other type of) question is as much a CAPTCHA as distorted numbers and letters. There are endless varieties of CAPTCHA type tests.

    As far as traditional image type CAPTCHAs go... The capability to write a program that can parse and interpret a graphic has been around since before the web. In that sense CAPTCHA was broken long before the acronym was coined.

    If you're clever, you can write a program to break a single CAPTCHA scheme. However, that program will only break that one CAPTCHA scheme and it will have taken you a lot of time and effort to write it.

    There is no program in existence that could spider the web and just break any CAPTCHA it found. There are just too many variations. The best you could do would be to create a program that can break some popular CAPTCHA implementation where a lot of webmasters have used the same code. If you were ambitious you could perhaps write something that would handle small variations (it might break all number/letter type CAPTCHAs where single color text on a single color background was used and the only obfuscation method involved warping).

    Having accomplished this you would (maybe) pull off breaking 5% of the CAPTCHAs encountered, and that's probably way too high a number.

    Someone posted about groups claiming to break "many" CAPTCHA systems with 80% success. What that means is that they have an app that can pass a very weak type of CAPTCHA implementation and even then still fails 20% of the time.

    If a spammer did take the huge amount of time to write the above program, the weak CAPTCHA systems it was able to break would quickly change to something else and the spammer would be back to square one.

    Basically, it's still safe to say that you can stop automated posting 100% with a creative CAPTCHA. :-)

    6:29 pm on Jul 11, 2006 (gmt 0)

    10+ Year Member



    Has anyone ever experimented with mod_rewrite.. RewriteCond to combat this issue?

    I haven't played around with it yet but it would be like passing a security variable through _$GET (graphic, math question, etc. like mentioned) back to the posting page and using a mod_rewrite RewriteCond to validate the URL.

    Throwing 404 errors would cause bots to drop the originating URL and you wouldn't bother visitors so much.

    This 41 message thread spans 2 pages: 41
     

    Featured Threads

    Hot Threads This Week

    Hot Threads This Month