I'm noticing a wave of new email injection attacks, on osCommerce and non-osCommerce sites alike. A robot looks for contact forms, and adds a linefeed followed by MIME headers. As yet I've only seen harmless tests; a Bcc: field is added, presumably to check if the page is vulnerable (I've got Bcc: jrubin3546@aol.com and bergkoch8@aol.com but there are others).
Adding MIME parts has the interesting effect of hiding the original message (eg tell a friend) and showing the new contents. What is this hack good for? Using your server as a SPAM relay! This is Not Good™; your server might be shut down rather quickly by your hosting company, or you might be blacklisted.
This might come as a surprise to many PHP programmers, as it's not possible to enter a linefeed in an <input> field... but hackers don't use input fields, they use scripts. I've successfully tested the attack, and the correction, on my site with this simple script:
#!/bin/sh
POST http://www.goelette.net/thankyou < _post > /dev/null
_post holds the urlencoded fields as sent by the contact form, plus MIME headers and contents. (Don't bother trying, it doesn't work anymore.)
This function will truncate a string at the first linefeed:
/*
* Truncate at first CR or LF
*/function clean_header
($string){ $string =
trim($string);
// From RFC 822: "The field-body may be composed of any ASCII // characters, except CR or LF." if (strpos($string,
"\n") !==
false) { $string =
substr($string,
0,
strpos($string,
"\n"));
} if (strpos($string,
"\r") !==
false) { $string =
substr($string,
0,
strpos($string,
"\r"));
} return $string;
}
Usage: apply to all user-entered strings that go into mail headers. This can be done right out of the $_POST array, or in the mail function.
Never ever trust user input. Don't even suppose the user will use your form to inject data into your site.
