One of my simple php form is compromised by somehow pushing data through a
field from the webpage. It looks like they used the "e-mail" field to
basicly
alter the header. The "bcc" to aol address is not legit. I run php 4.4.0
with
register globals OFF and exim 4.51 with mysql authentication.
You can see the double "To:" and "Subject". Also there isn't supposed to
be any
"Content-Type: ....."
Any feedback to make the form secure would be appreciated.
"mail($to, $subject, $msg, $mailheaders);"
Delivery-date: Thu, 28 Jul 2005 13:11:10 -0700
Received: from www by mail.changedname.net with local (Exim 4.51)
id IKCTEM-000IUR-78; Thu, 28 Jul 2005 13:11:10 -0700
To: george@???
Subject: AUTO-MAIL FROM CAPTURE
From: hmnxdodfjt@???
Content-Type: multipart/mixed; boundary=\"===============0401069612==\"
MIME-Version: 1.0
Subject: b68e7b8d
To: hmnxdodfjt@???
From: hmnxdodfjt@???
Message-Id: <EIKCTEM-000IUR-78@???>
Sender: World Wide Web Server <www@???>
Date: Thu, 28 Jul 2005 13:11:10 -0700
This is a multi-part message in MIME format.
--===============0401069612==
Content-Type: text/plain; charset=\"us-ascii\"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
nhelm
--===============0401069612==--
---------------------------------------------------------------------
NAME: hmnxdodfjt@???
PHONE: hmnxdodfjt@???
E-MAIL: mailto:hmnxdodfjt@changedname.net
Content-Type: multipart/mixed; boundary=\"===============0401069612==\"
MIME-Version: 1.0
Subject: b68e7b8d
To: hmnxdodfjt@???
bcc: bergkoch8@???
From: hmnxdodfjt@???
This is a multi-part message in MIME format.
--===============0401069612==
Content-Type: text/plain; charset=\"us-ascii\"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
nhelm
--===============0401069612==--
---------------------------------------------------------------------
SUBJECT: hmnxdodfjt@???
---------------------------------------------------------------------
COMMENT:
hmnxdodfjt@???
---------------------------------------------------------------------
28-07-2005 | 1:11 pm
qsmi.com
From exim log:
2005-07-28 13:11:10 IKCTEM-000IUR-78 <= www@??? U=www
P=local S=1678
2005-07-28 13:11:10 IKCTEM-000IUR-78 ** hmnxdodfjt@???:
Unrouteable address
2005-07-28 13:11:10 IKCTEM-000IUR-78 => george@???
R=mysql_user T=mysql_delivery
2005-07-28 13:11:11 IKCTEM-000IUR-78 => bergkoch8@??? R=dnslookup
T=remote_smtp H=mailin-01.mx.aol.com [205.188.155.89]
2005-07-28 13:11:11 IKCTEM-000IUR-78 Completed
This is the way the header looks like when it's not compromised...
Delivery-date: Thu, 28 Jul 2005 15:59:24 -0700
Received: from www by mail.changedname.net with local (Exim 4.51)
id IKD170-0000PQ-JJ
for george@???; Thu, 28 Jul 2005 15:59:24 -0700
To: george@???
Subject: AUTO-MAIL FROM CAPTURE
From: test@???
Message-Id: <EIKD170-0000PQ-JJ@???>
Sender: World Wide Web Server <www@???>
Date: Thu, 28 Jul 2005 15:59:24 -0700
---------------------------------------------------------------------
NAME: test
PHONE: test
E-MAIL: mailto:test@test.com
---------------------------------------------------------------------
SUBJECT: test
---------------------------------------------------------------------
COMMENT:
test
---------------------------------------------------------------------
28-07-2005 | 3:59 pm
George
