Email form -- secure or not?

pittendrigh · 01-17-2016, 12:49 PM

I have a CentOS virtual dedicated server with a half a dozen websites. Only one of which has had an email form so visitors can send me email. I thought I did what was needed to keep bots form exploiting the form. Among other things this (php) email form would exit if any newlines or carriage returns were found in the POST widget for the From address.

But I recently started to get email like the following, which is a strange mixture of valid ascii and gibberish:

mailTo: plkQrWAQiNJ
anXfY0 <a href="http://kehxmcnnvkra.com/">kehxmcnnvkra</a>,
cqggnpeutoir,
[link=http://ltrggpuqdlks.com/]ltrggpuqdlks[/link],
http://upjonkwnbyqs.com/

I replaced the form with codes that simply display a jpeg image of my email address and the gibberish email stopped. So the above seems to be the result of hacker attempts to exploit my form. Did they succeed? Why does the above email header like text include gibberish and well formated ascii?

What follows was my meagre attempt at a secure email form:

<?php ......

function exitOnSuspicious() {
$flag=0;

if (strlen($_POST['message']) > 1024)
exit;

if ($_SESSION['spam'] != 'didUseForm')
exit;

if (strlen($_POST['toName']) > 32 || strstr($_POST['toName'], '\n') || strstr($_POST['toName'], '\r'))
exit;

if (strlen($_POST['fromname']) > 32 || strstr($_POST['fromname'], '\n') || strstr($_POST['fromname'], '\r'))
exit;

// the following--an @ in the toName--is not what could from the mkToSelect function,
// which suggests a hackign attempt.
//
if (@preg_match_all('@', $_POST['toName']) > 1)
exit;

if (strstr($_POST['message'], 'href=') || strstr($_POST['message'], 'url=') || strstr($_POST['message'], 'link='))
$flag=1;

if($flag == 1)
{
header("location: http://nsa.gov");
}

exit;
}

teapottwo · 01-20-2016, 09:01 AM

If its a feedback form, why are you letting them fill in the To field. You don't even need to show them your email address in this situation.

Here's some built in filters for PHP: http://php.net/manual/en/filter.examples.validation.php

Yes some stuff will still get through and other won't, but its a lot better than the rules you have!
This is easier to find than the rfc, https://en.wikipedia.org/wiki/Email_address#Syntax

pittendrigh · 01-20-2016, 09:22 AM

I allowed them to choose the To: field from a dropdown because......at one time this was on an academic site where the mail might have gone in several directions. And if the incoming name wasn't in a hard-coded list the code did exit.

But that does make it weaker. You are right. Thanks. Makes sense. Good links.

Glad I posted this.

teapottwo · 01-20-2016, 10:23 AM

The list is ok if you check for a match within the list from PHP before sending.

The list in the form itself can be bypassed.

sundialsvcs · 01-20-2016, 02:41 PM

"Bots" are a scourge, but a simple "captcha" usually stops them cold.

teapottwo · 01-20-2016, 03:20 PM

Quote:

Originally Posted by sundialsvcs

"Bots" are a scourge, but a simple "captcha" usually stops them cold.

Not long ago I tried to register at another more specific linux forum, their CSS was messed up so I couldn't see their special CAPTCHA correctly, however I could see that it was simply a choice from 4 images, it didn't take long before the first option was correct.

Moral: limit attempts within time period for IP.

dugan · 01-20-2016, 11:58 PM

Yeah, I use recaptcha.