mod-security-users

[mod-security-users] PHP mail() header injection issues

[Mojo J. <my...@li...>]

Hello, I am new to the list and hope this post is not off topic in some way.


I have read in a few places that installing mod_security was a good way to 
combat PHP mail() header injection issues.


I have installed mod_security on the server in question and think I have got 
it setup to protect against future attacks.


For now I have turned it off because I want to first duplicate the issue so 
I can then turn mod_security on and see if it stops the same exploit I can 
do with it off.


Please see my post below which I recently posted to a web hosting forum, any 
help would be greatly appreciated!


####################Post to forum##############################


We are seeing some issues on one of our servers where SPAMMERS are taking 
advantage of some of the php forms using mail() to send SPAM.


I have been reading about this for days and I am stuck on a few things.


First, I need to know how to re-create the issue before I can test to see if 
I stopped it.


I have read this article here for example:

http://securephp.damonkohler.com/ind...mail_Injection


which is a great article.


Thing I don't get is this, it shows that the SPAMMER could enter a string 
like this in the "From:" field of your form:

"se...@an...%0ACc:rec...@so...%0AB...@gr...,som...@oo..."which 
would send out his SPAM.


Thing that has me stuck is this, everytime I try to punch this string into a 
sample "From:" field on a test form, when I print the string to the screen 
it comes out exactly like that with the "%0A" and all. The "%0A" is suppose 
to be converted into a "\n" which is needed of for the exploit to work. 
Problem is that POST data does not get unencoded like GET data on the other 
end and the PHP mail() just barfs.


If I try to send the same string with plain old "\n" then it ends up looking 
like this "\\n" on the other side because Magic Quotes is escaping my 
backslash.

I am confused as to how the SPAMMERS have been able to successfully pass the 
"\n" which is needed in a POST when I can't do it myself.

I know they are doing it because I have seen the SPAM go through the machine 
and I know if came from a FORM pretty much identical to my test form.

Any ideas? This is driving me seriously buggy..

Re: [mod-security-users] PHP mail() header injection issues

[Ivan R. <iv...@we...>]

Mojo Jojo wrote:
>
> Thing that has me stuck is this, everytime I try to punch this string
> into a sample "From:" field on a test form, when I print the string to
> the screen it comes out exactly like that with the "%0A" and all. The
> "%0A" is suppose to be converted into a "\n" which is needed of for the
> exploit to work. Problem is that POST data does not get unencoded like
> GET data on the other end and the PHP mail() just barfs.
> 
> If I try to send the same string with plain old "\n" then it ends up
> looking like this "\\n" on the other side because Magic Quotes is
> escaping my backslash.
> 
> I am confused as to how the SPAMMERS have been able to successfully pass
> the "\n" which is needed in a POST when I can't do it myself.

  That's because you are trying to work it out through the browser.
  But if you access the form programmatically you can construct
  any content you like, replacing %0A (encoded \n with three characters)
  with only one character \n.

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

Re: [mod-security-users] PHP mail() header injection issues

[Kelson <ke...@sp...>]

Ivan Ristic wrote:
>   That's because you are trying to work it out through the browser.
>   But if you access the form programmatically you can construct
>   any content you like, replacing %0A (encoded \n with three characters)
>   with only one character \n.

One way I tested some of my scripts was to replace a bunch of <input 
type="text"> fields with <textarea></textarea>.  Even just tossing stuff 
in there proved very educational!

-- 
Kelson Vibber
SpeedGate Communications <www.speed.net>