[exim] Insecure php form alters header by adding bcc

Pàgina inicial
Delete this message
Reply to this message
Autor: list1@dnsbureau.com
Data:  
A: exim-users
Assumpte: [exim] Insecure php form alters header by adding bcc
One of my simple php form is compromised by somehow pushing data through a
field from the webpage. It looks like they used the "e-mail" field to
basicly
alter the header. The "bcc" to aol address is not legit. I run php 4.4.0
with
register globals OFF and exim 4.51 with mysql authentication.
You can see the double "To:" and "Subject". Also there isn't supposed to
be any
"Content-Type: ....."

Any feedback to make the form secure would be appreciated.

"mail($to, $subject, $msg, $mailheaders);"



Delivery-date: Thu, 28 Jul 2005 13:11:10 -0700
Received: from www by mail.changedname.net with local (Exim 4.51)
    id IKCTEM-000IUR-78; Thu, 28 Jul 2005 13:11:10 -0700
To: george@???
Subject:  AUTO-MAIL FROM CAPTURE
From: hmnxdodfjt@???
Content-Type: multipart/mixed; boundary=\"===============0401069612==\"
MIME-Version: 1.0
Subject: b68e7b8d
To: hmnxdodfjt@???
From: hmnxdodfjt@???
Message-Id: <EIKCTEM-000IUR-78@???>
Sender: World Wide Web Server <www@???>
Date: Thu, 28 Jul 2005 13:11:10 -0700


This is a multi-part message in MIME format.

--===============0401069612==
Content-Type: text/plain; charset=\"us-ascii\"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

nhelm
--===============0401069612==--



---------------------------------------------------------------------
NAME:            hmnxdodfjt@???
PHONE:           hmnxdodfjt@???
E-MAIL:          mailto:hmnxdodfjt@changedname.net
Content-Type: multipart/mixed; boundary=\"===============0401069612==\"
MIME-Version: 1.0
Subject: b68e7b8d
To: hmnxdodfjt@???
bcc: bergkoch8@???
From: hmnxdodfjt@???


This is a multi-part message in MIME format.

--===============0401069612==
Content-Type: text/plain; charset=\"us-ascii\"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

nhelm
--===============0401069612==--


---------------------------------------------------------------------
SUBJECT:         hmnxdodfjt@???
---------------------------------------------------------------------
COMMENT:


hmnxdodfjt@???
---------------------------------------------------------------------
28-07-2005 | 1:11 pm
qsmi.com


From exim log:

2005-07-28 13:11:10 IKCTEM-000IUR-78 <= www@??? U=www
P=local S=1678
2005-07-28 13:11:10 IKCTEM-000IUR-78 ** hmnxdodfjt@???:
Unrouteable address
2005-07-28 13:11:10 IKCTEM-000IUR-78 => george@???
R=mysql_user T=mysql_delivery
2005-07-28 13:11:11 IKCTEM-000IUR-78 => bergkoch8@??? R=dnslookup
T=remote_smtp H=mailin-01.mx.aol.com [205.188.155.89]
2005-07-28 13:11:11 IKCTEM-000IUR-78 Completed



This is the way the header looks like when it's not compromised...



Delivery-date: Thu, 28 Jul 2005 15:59:24 -0700
Received: from www by mail.changedname.net with local (Exim 4.51)
    id IKD170-0000PQ-JJ
    for george@???; Thu, 28 Jul 2005 15:59:24 -0700
To: george@???
Subject: AUTO-MAIL FROM CAPTURE
From: test@???
Message-Id: <EIKD170-0000PQ-JJ@???>
Sender: World Wide Web Server <www@???>
Date: Thu, 28 Jul 2005 15:59:24 -0700



---------------------------------------------------------------------
NAME:            test
PHONE:           test
E-MAIL:          mailto:test@test.com


---------------------------------------------------------------------
SUBJECT:         test
---------------------------------------------------------------------
COMMENT:


test
---------------------------------------------------------------------
28-07-2005 | 3:59 pm





George