[mod-security-users] PHP mail() header injection issues
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
[mod-security-users] PHP mail() header injection issues
|
From: Mojo J. <my...@li...> - 2005-12-16 01:39:30
|
Hello, I am new to the list and hope this post is not off topic in some way. I have read in a few places that installing mod_security was a good way to combat PHP mail() header injection issues. I have installed mod_security on the server in question and think I have got it setup to protect against future attacks. For now I have turned it off because I want to first duplicate the issue so I can then turn mod_security on and see if it stops the same exploit I can do with it off. Please see my post below which I recently posted to a web hosting forum, any help would be greatly appreciated! ####################Post to forum############################## We are seeing some issues on one of our servers where SPAMMERS are taking advantage of some of the php forms using mail() to send SPAM. I have been reading about this for days and I am stuck on a few things. First, I need to know how to re-create the issue before I can test to see if I stopped it. I have read this article here for example: http://securephp.damonkohler.com/ind...mail_Injection which is a great article. Thing I don't get is this, it shows that the SPAMMER could enter a string like this in the "From:" field of your form: "se...@an...%0ACc:rec...@so...%0AB...@gr...,som...@oo..."which would send out his SPAM. Thing that has me stuck is this, everytime I try to punch this string into a sample "From:" field on a test form, when I print the string to the screen it comes out exactly like that with the "%0A" and all. The "%0A" is suppose to be converted into a "\n" which is needed of for the exploit to work. Problem is that POST data does not get unencoded like GET data on the other end and the PHP mail() just barfs. If I try to send the same string with plain old "\n" then it ends up looking like this "\\n" on the other side because Magic Quotes is escaping my backslash. I am confused as to how the SPAMMERS have been able to successfully pass the "\n" which is needed in a POST when I can't do it myself. I know they are doing it because I have seen the SPAM go through the machine and I know if came from a FORM pretty much identical to my test form. Any ideas? This is driving me seriously buggy.. |
