Web Hosting Talk : Web Hosting Main Forums : Web Hosting : PHP FormMail Worm

[NexDog]

It has come to our attention that there is a nasty worm floating around that is compromising many PHP forms.

THE PROBLEM

The problem is that a worm is attacking forms that allow mail headers to entered on forms and then passed to the "mail" function without correct validation.

The most common cause of this is where the "From:" or other header lines are not checked.

An example:

PHP Code:

  $headers = 'From: ' . $_POST['username'] . '<'. $_POST['usermail'] . '>';
  mail($to, $subject, $message, $headers); 


All the worm needs to do is manipulate the "username" to read:

Code:

  info@yourdomain.com <info@yourdomain.com>\n\rBcc: victim@anotherdomain.com

And the mail will be bcc'd to plenty of others. It can further manipulate the headers to include MIME attachments and, basically, anything it likes.

*******************
THE SYMPTOMS

The current worm uses the domain name as a spoofed "from" e-mail address. At also attacks several fields in one go, you commonly you see a "MIME" header inside the mail.

Snippet of actual mail received (where domain.com is the domain where the form resides):

Quote:

> The following details were filled in on the form -
> Name: wlqo@domain.com
> Address: wlqo@domain.com
> Content-Type: multipart/mixed;
boundary="===============1475260401=="
> MIME-Version: 1.0
> Subject: 9b94e8d5
> To: wlqo@domain.com
> bcc: jrubin3546@aol.com
> From: wlqo@domain.com
>
> This is a multi-part message in MIME format.
>
> --===============1475260401==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
>
> qaetdqmst
> --===============1475260401==--
> wlqo@domain.com
> wlqo@domain.com

***********************************

THE PRIORITY FIX

Check anything that is passed as a header and remove \n and \r charcaters from user inputted data.

This can most easily be achieved by (in the above example):

PHP Code:

   ereg_replace(array("\n","\r"),'',$from) 


Anything passed to the header is at risk - validate the e-mail address, username and, if sending HTML e-mail, practically everything!

NOTE: the double quotes are imporatant.

***********************************

A SUGGESTED ADDITION

It is also suggested that you add validation that the user name does not contain your own domain name or "\n" or "\r". The above fix (which is the important one) will still send an e-mail - just not maliciously as it goes to a non-existant address. Adding code validation will prevent the mail from actually being sent.

[Website Rob]

Excellent info NexDog, very good info for everyone.

Too many Forms out there that do not have "required field" settings. As most Bots cannot determine
what is 'required', the more required fields the better -- and your script is pretty safe. Another plus is
that people always get Forms filled out with correct information.

[Philco]

see: http://securephp.damonkohler.com/ind...mail_Injection

[WireNine]

Thank you for sharing Mr. Laurence

[georgeolm]

Quote:

Originally posted by NexDog
It has come to our attention that there is a nasty worm floating around that is compromising many PHP forms.

THE PROBLEM

The problem is that a worm is attacking forms that allow mail headers to entered on forms and then passed to the "mail" function without correct validation.

The most common cause of this is where the "From:" or other header lines are not checked.

An example:

PHP Code:

  $headers = 'From: ' . $_POST['username'] . '<'. $_POST['usermail'] . '>';
  mail($to, $subject, $message, $headers); 


All the worm needs to do is manipulate the "username" to read:

Code:

  info@yourdomain.com <info@yourdomain.com>\n\rBcc: victim@anotherdomain.com

And the mail will be bcc'd to plenty of others. It can further manipulate the headers to include MIME attachments and, basically, anything it likes.

*******************
THE SYMPTOMS

The current worm uses the domain name as a spoofed "from" e-mail address. At also attacks several fields in one go, you commonly you see a "MIME" header inside the mail.

Snippet of actual mail received (where domain.com is the domain where the form resides):
***********************************

THE PRIORITY FIX

Check anything that is passed as a header and remove \n and \r charcaters from user inputted data.

This can most easily be achieved by (in the above example):

PHP Code:

   ereg_replace(array("\n","\r"),'',$from) 


Anything passed to the header is at risk - validate the e-mail address, username and, if sending HTML e-mail, practically everything!

NOTE: the double quotes are imporatant.

***********************************

A SUGGESTED ADDITION

It is also suggested that you add validation that the user name does not contain your own domain name or "\n" or "\r". The above fix (which is the important one) will still send an e-mail - just not maliciously as it goes to a non-existant address. Adding code validation will prevent the mail from actually being sent.

Hello all, long time reader, first time poster.

Nex - many should thank you for taking time to post about this, it'll save lots of people lots of headaches. However, there is one important detail you're missing. The exploit can be achieved by crafting a special MESSAGE BODY as well as "from" or other headers. Simply stripping newlines from the body of the message isn't going to work for everyone since newlines are typically valid as part of most messages. One should use regular expressions (eg proper data filtering) on all the fields, including the message (or equiv) field to search for any headers because having a message of something like
----------------------------
bcc: abusedmail@anywhere.com

This is a spammy message
----------------------------

will bypass your check and will result in the exploit being acheived. I hope this helps others. Philco posted a link to an article that explains this better than I can (I'm not allowed to post the link, I have less than 5 posts)

In summary, make sure to use regular expressions on the body of the message to check for anything that can be interpreted as a header, simply checking the "to", "subject" and "from" data is insufficient protection from this vulnerability.

Happy coding!

[Dan L]

Great first post, George, never realized that header data could be prepended to a message..

[VolkNet]

Darn we just got blasted with this one our seo site...

Thanks for the heads up!

[sotet]

I have been made aware of attacks like this as well just in the past week or so various websites. Basically many people leave old or vulnerable forms online which have been found and exploited by spammmers.

Thanks for the details on the Perl code.

Here is an interesting blog entry about this recent wave of spamming attempts along with a long thread of interesting reader replies.

http://www.anders.com/cms/75/Crack.Attempt/Spam.Relay

[mwreid]

Great information in this thread.

I'm just wondering if it would be better if this thread were moved to either the Technical & Security Issues forum or the Programming Discussion forum.

Those are the places I would look for this type of info, and where I would most likely run a search if I were trying to find this thread in the future.

[sigfrid2000]

Just what we was looking for! Thanks for sharing with us your usefull experience :-))