Welcome to WebmasterWorld Guest from 54.146.201.80

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

Combatting Webform hijack

     
1:20 pm on Jun 14, 2006 (gmt 0)

New User

10+ Year Member

joined:July 19, 2005
posts:23
votes: 0


My webform has been hijacked. Any suggestions how to make this form secure?:

<?php
$org=$_POST['org'];
$address1=$_POST['address1'];
$address2=$_POST['address2'];
$address3=$_POST['address3'];
$city=$_POST['city'];
$pcode=$_POST['postcode'];
$region=$_POST['region'];
$tel=$_POST['tel'];
$fax=$_POST['fax'];
$email=$_POST['email'];
$web=$_POST['web'];
$name=$_POST['name'];
$image=$_POST['image'];
$projdesc=$_POST["projdesc"];
$cats1=$_POST['cats1'];
$rate1=$_POST["rate1"];
$cats2=$_POST['cats2'];
$rate2=$_POST["rate2"];
$cats3=$_POST['cats3'];
$rate3=$_POST["rate3"];
$cats4=$_POST['cats4'];
$rate4=$_POST["rate4"];
$cats5=$_POST['cats5'];
$rate5=$_POST["rate5"];

$min_age=$_POST['agefrom'];
$max_age=$_POST['ageto'];
$gptext=$_POST['pracbite'];
$gptitle=$_POST['practitle'];
$gpc1=$_POST['gpc1'];
$rate1=$_POST["rate1"];
$gpc2=$_POST['gpc2'];
$rate2=$_POST["rate2"];
$gpc3=$_POST['gpc3'];
$rate3=$_POST["rate3"];
$gpc4=$_POST['gpc4'];
$rate4=$_POST["rate4"];
$gpc5=$_POST['gpc5'];
$rate5=$_POST["rate5"];
$praccontact=$_POST["praccontact"];

mail ("email address", "Practice Bite",
"New Practice Bite

Project Info:
Organisation: $org
Address: $address1
$address2
$address3
City: $city
Post code: $pcode
Region: $region
Tel: $tel
Fax: $fax
Email: $email
Web: $web
Contact Name: $name
Image: $image
Project Desc: $projdesc
C1: $cats1
R1: $rate1
C2: $cats2
R2: $rate2
C3: $cats3
R3: $rate3
C4: $cats4
R4: $rate4
C5: $cats5
C5: $rate5
Practice Example:
Min age: $min_age
Max age: $max_age
P Title; $gptitle
P Text: $gptext
P1: $gpc1
R1: $rate1
P2: $gpc2
R2: $rate2
P3: $gpc3
R3: $rate3
P4: $gpc4
R4: $rate4
P5: $gpc5
R5: $rate5
Contact Name: $praccontact"
);
echo ("<p>Your practice bite has been submitted.</p>
<p>Many thanks.</p>");
?>

7:53 am on July 5, 2006 (gmt 0)

Full Member

10+ Year Member

joined:May 21, 2003
posts:255
votes: 0


DewChugr,

if ($_POST['token']!= $_SESSION['token'])

If the mail script was called remotely i.e. NOT from the website the form was residing on, the $_POST['token'] would be an empty string, as well as $_SESSION['token']... so the IF statement would evaluate as true and would be allowed.

You should therefore add at the begining:

if ($_POST['token']=="") exit; // who sent you here without a token?!?!
10:31 pm on July 5, 2006 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Oct 4, 2001
posts:1259
votes: 11


Someone was asking for a quick summary on how the problem could be avoided so...

The original poster complained of being "hijacked" so I assume that spammers were using their form mail script to send spam to other people.

To avoid this:

- Remove line breaks or ctype_print test everything that goes into the email header (TO, FROM, SUBJECT, etc..). preg and ereg will work but str_replace is faster.

- Run stripslashes on everything.

- The TO addy should of course never be assigned by your form.

That's it. The above will solve the problem 100%. Based on my experience with live sites at any rate. There could of course be other injection methods I'm missing but, if so, spammers aren't using them yet.

The other problem that people have mentioned (automated posting just to send you spam) can only be solved 100% with captcha. The javascript encoding method isn't a bad idea but it means that anyone with javascript turned off can't use your form. Also, it's not hard to teach a bot to read javascript encoded HTML.

11:36 am on July 6, 2006 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member henry0 is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Apr 19, 2003
posts:4388
votes: 2


The other problem that people have mentioned (automated posting just to send you spam) can only be solved 100% with captcha.

100% is no longer a rock solid statement.
I do not have any example but web rumors tell me that it has been broken.

Any proof around?

12:09 pm on July 6, 2006 (gmt 0)

Senior Member

WebmasterWorld Senior Member dreamcatcher is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Mar 30, 2003
posts:3719
votes: 0


henry0, I`ve also heard rumours about the captcha not being as effective as it was, although from my own personal experience I`ve always found it pretty good.

Another easy solution and less server intense than the Captcha is to create a random simple sum and have people enter the total in a text box. I`ve found this to be very effective indeed.

dc

12:13 pm on July 6, 2006 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member henry0 is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Apr 19, 2003
posts:4388
votes: 2


Funny I never mentionned it
this is exactly my own solution.
12:54 pm on July 6, 2006 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Mar 14, 2003
posts:1550
votes: 0


dreamcatcher & henry0

I'm thinking of doing exactly that ... with a twist.

instead of 'just' having mathermatical queries to answer, I am thinking of creating a table with around 150 questions / answers to 'validate' a form.

something varied so it cannot be easily bot-guessed, but easy enough for 'thick' people to know the answer - like:

  • what day is the april's fool day
  • what animal is Mickey
  • if today was monday, what day would tomorrow be
  • how many dwarves was there in Snow White ...

    that's 4 already ;)

    would that be a good way of doing things?

  • 1:07 pm on July 6, 2006 (gmt 0)

    Senior Member from US 

    WebmasterWorld Senior Member henry0 is a WebmasterWorld Top Contributor of All Time 10+ Year Member

    joined:Apr 19, 2003
    posts:4388
    votes: 2


    Pending on your target you can make it fit your customers/viewers profile
    for ex: targeting home/garden: Is crab-grass a seafood or a grass nuisance?
    If your users are very diversified it could be seen as an extra step
    3:00 pm on July 6, 2006 (gmt 0)

    Administrator

    WebmasterWorld Administrator jatar_k is a WebmasterWorld Top Contributor of All Time 10+ Year Member

    joined:July 24, 2001
    posts:15755
    votes: 0


    >> I`ve also heard rumours about the captcha not being as effective as it was, although from my own personal experience I`ve always found it pretty good.

    yeah captcha will still do the job and yes it has been cracked, I believe I saw the code actually, was a while ago

    5:37 pm on July 6, 2006 (gmt 0)

    Senior Member

    WebmasterWorld Senior Member 10+ Year Member

    joined:May 30, 2003
    posts:728
    votes: 0


    I do not have any example but web rumors tell me that it has been broken.

    henry0, I`ve also heard rumours about the captcha not being as effective as it was, although from my own personal experience I`ve always found it pretty good.

    yeah captcha will still do the job and yes it has been cracked

    Captcha should just be one part of the defense:

    Several groups have created programs that can pass many CAPTCHAs over 80% of the time.
    Source [captcha.net] (see "Advancing AI")

    Everyone considering the use of a captcha solution should also be aware of the accessibility problems [webmasterworld.com] they may cause.

    -b

    10:45 pm on July 6, 2006 (gmt 0)

    Senior Member

    WebmasterWorld Senior Member 10+ Year Member

    joined:Oct 4, 2001
    posts:1259
    votes: 11


    100% is no longer a rock solid statement.
    I do not have any example but web rumors tell me that it (CAPTCHA) has been broken.

    To clear up the misconception... CAPTCHA is not a thing, it's a blanket classification for a concept.

    It's not possible to say "CAPTCHA has been broken!" Hehe.

    Any system where you attempt to tell humans and computers apart by challenging them with some kind of interactive test is a CAPTCHA as long is it's entirely automated on your side.

    Asking a math (or other type of) question is as much a CAPTCHA as distorted numbers and letters. There are endless varieties of CAPTCHA type tests.

    As far as traditional image type CAPTCHAs go... The capability to write a program that can parse and interpret a graphic has been around since before the web. In that sense CAPTCHA was broken long before the acronym was coined.

    If you're clever, you can write a program to break a single CAPTCHA scheme. However, that program will only break that one CAPTCHA scheme and it will have taken you a lot of time and effort to write it.

    There is no program in existence that could spider the web and just break any CAPTCHA it found. There are just too many variations. The best you could do would be to create a program that can break some popular CAPTCHA implementation where a lot of webmasters have used the same code. If you were ambitious you could perhaps write something that would handle small variations (it might break all number/letter type CAPTCHAs where single color text on a single color background was used and the only obfuscation method involved warping).

    Having accomplished this you would (maybe) pull off breaking 5% of the CAPTCHAs encountered, and that's probably way too high a number.

    Someone posted about groups claiming to break "many" CAPTCHA systems with 80% success. What that means is that they have an app that can pass a very weak type of CAPTCHA implementation and even then still fails 20% of the time.

    If a spammer did take the huge amount of time to write the above program, the weak CAPTCHA systems it was able to break would quickly change to something else and the spammer would be back to square one.

    Basically, it's still safe to say that you can stop automated posting 100% with a creative CAPTCHA. :-)

    6:29 pm on July 11, 2006 (gmt 0)

    Preferred Member

    10+ Year Member

    joined:Jan 19, 2004
    posts:505
    votes: 0


    Has anyone ever experimented with mod_rewrite.. RewriteCond to combat this issue?

    I haven't played around with it yet but it would be like passing a security variable through _$GET (graphic, math question, etc. like mentioned) back to the posting page and using a mod_rewrite RewriteCond to validate the URL.

    Throwing 404 errors would cause bots to drop the originating URL and you wouldn't bother visitors so much.

    This 41 message thread spans 2 pages: 41