user99999999 Posted September 1, 2005 Posted September 1, 2005 Ya I know what you did. Did you try the link I posted?
crashwave Posted September 1, 2005 Posted September 1, 2005 Yes I saw that but from what I read that only fixes if the url in address bar is messed with. What about it being sent form other pages or computers. This actually the form being submitted if we check for @ (or any other form of email coding) in name input that should stop emails from being placed in name field q_|_|| _|9~~J >-o>-o q_|_|| )| q_|| )
wheeloftime Posted September 1, 2005 Posted September 1, 2005 There is a setting in the servers httpd.conf file which sets whether .htaccess files are invisible or not. They should be set to be invisible. You can check this by FTP'ing to your website. If you can see the .htaccess files then they're not set to be invisible, in which case it's just possible that someone penetrated them (password protection is controlled by these files). If they are visible get back to your hosting company - they control the httpd.conf file! Vger <{POST_SNAPBACK}> And what about FTP programs which have the option to show hidden files ? Is that prevented also through the httpd.conf file ?
user99999999 Posted September 1, 2005 Posted September 1, 2005 Yes I saw that but from what I read that only fixes if the url in address bar is messed with. What about it being sent form other pages or computers. This actually the form being submitted if we check for @ (or any other form of email coding) in name input that should stop emails from being placed in name field <{POST_SNAPBACK}> No I think you missed it. function tep_mail($to_name, $to_email_address, $email_subject, $email_text, $from_email_name, $from_email_address) { if (SEND_EMAILS != 'true') return false; //Remove any newline and anything after it on the header fields of the mail. //$to_email_address and $from_email_address are checked with tep_validate_email(). $to_name = preg_replace('/[\n|\r].*/', '', $to_name); $email_subject = preg_replace('/[\n|\r].*/', '', $email_subject); $from_name = preg_replace('/[\n|\r].*/', '', $from_name); $from_name = 'Dave' . "\n" . 'bcc: ******@gmail.com'; //header injection. $from_name = preg_replace('/[\n|\r].*/', '', $from_name); echo $from_name; //prints Dave Whatever you send tep_mail() function will get cleaned.
user99999999 Posted September 1, 2005 Posted September 1, 2005 And what about FTP programs which have the option to show hidden files ? Is that prevented also through the httpd.conf file ? <{POST_SNAPBACK}> Its fine to see .htaccess files in you FTP client. Its not good if you can access them via http.
crashwave Posted September 1, 2005 Posted September 1, 2005 function tep_mail($to_name, $to_email_address, $email_subject, $email_text, $from_email_name, $from_email_address) { if (SEND_EMAILS != 'true') return false; //Remove any newline and anything after it on the header fields of the mail. //$to_email_address and $from_email_address are checked with tep_validate_email(). $to_name = preg_replace('/[\n|\r].*/', '', $to_name); $email_subject = preg_replace('/[\n|\r].*/', '', $email_subject); $from_name = preg_replace('/[\n|\r].*/', '', $from_name); looks promising. I was talking about the contribution link though. http://www.oscommerce.com/community/contributions,2976 If the contact_us.HTML page is saved on another server that won't help q_|_|| _|9~~J >-o>-o q_|_|| )| q_|| )
knifeman Posted September 1, 2005 Posted September 1, 2005 Its fine to see .htaccess files in you FTP client. Its not good if you can access them via http. <{POST_SNAPBACK}> Here is what my web host had to say about the files: If you make sure that in each dir you have a index.htm, index.html, index.php, or default.htm no one can see these files anyway. Also in your ftp program you can turn this on and off. I have used this little trick to hide my image directories from viewers.
user99999999 Posted September 1, 2005 Posted September 1, 2005 There is two problems now. This is about XSS which allows somone to execute javascript in the client by coding it in the url. http://www.oscommerce.com/community/contributions,2976 The other is header injection which allows you to inject alternate email address and content even though the contact_us is hard coded to send mail only to the site admin.
wheeloftime Posted September 1, 2005 Posted September 1, 2005 Its fine to see .htaccess files in you FTP client. Its not good if you can access them via http. <{POST_SNAPBACK}> Yes, you are right of course. I tried and that's oke. I made the changes you suggested for html_output.php and general.php and I hope not to see those spam emails again (suddenly got a couple over the last days and had no clue how). Thanks.
user99999999 Posted September 1, 2005 Posted September 1, 2005 Yes, you are right of course. I tried and that's oke.I made the changes you suggested for html_output.php and general.php and I hope not to see those spam emails again (suddenly got a couple over the last days and had no clue how). Thanks. <{POST_SNAPBACK}> Put this url in your browser http://www.wheeloftime.nl/.htaccess The result is unrelated to any .php on your site
Guest Posted September 1, 2005 Posted September 1, 2005 Ok so I did an upgrade on the filtering clearing the enquiry vars. since they could run a script for reentry. Now I have 2 things that could be useful for others. 1. Integrate a verification code with your email input forms on the catalog side. There is a contribution available. That should take care of automated scripts in general. 2. Withing each form file (contact_us.php etc) I initialize an array of restricted strings someone will attempt to enter to initiate cross scripting. So before passing anything to the tep_mail function I call another function first checking for the elements of the array if any of them matches the input string. The elements are strings like bcc: etc... If my code finds one of those I use the tep_redirect to a "ban file" that writes an ip entry in the .htaccess file. This is from another contribution the "spider bait" and that in turn sends me an email for the ip ban. The thing is if you dont ban the bot or whoever tries to do that, he gets a chance to retry scripts and figure out other weaknesses and thats not good.
crashwave Posted September 2, 2005 Posted September 2, 2005 to validate ANY string in general.php at the bottom add (from php site) function valid_str($str, $validlength, $validmask="abcdefghijklmnopqrstuvwxyz0123456789_- ") //yes that is a space before " to allow for spaces between words/names { $str=strtolower($str); if (strspn($str, $validmask) == strlen($str) && strlen($str)<=$validlength) return true; return false; }//Hadir @ phpmom Then anywhere when you need to validate the text like in contact_us $name add if(valid_str($name, '20'))//or what ever length you want { <<<ok to send mail and confirm>>>>> } else {<<<send to "you messed up" page>>>} q_|_|| _|9~~J >-o>-o q_|_|| )| q_|| )
Jan Zonjee Posted September 2, 2005 Posted September 2, 2005 to validate ANY stringin general.php at the bottom add (from php site) function valid_str($str, $validlength, $validmask="abcdefghijklmnopqrstuvwxyz0123456789_- ") //yes that is a space before " to allow for spaces between words/names <{POST_SNAPBACK}> Yes, and what if the person doesn't have an English name? Like H?rekn?tt?r ?
crashwave Posted September 2, 2005 Posted September 2, 2005 You can add the characters you want to the function change $validmask="abcdefghijklmnopqrstuvwxyz0123456789_- ") to $validmask="abcdefghijklmnopqrstuvwxyz0123456789_- ???") or in your if statement change if(valid_str($name, '20'))// to if(valid_str($name, '20', 'abcdefghijklmnopqrstuvwxyz0123456789_- ???' ))// q_|_|| _|9~~J >-o>-o q_|_|| )| q_|| )
wheeloftime Posted September 3, 2005 Posted September 3, 2005 I have made the suggested changes (tep_mail and tep_draw_textarea_field) but I nevertheless just received another spam email through my contact us page Return-Path: <xxx@xxxxx>Delivered-To: 270-xxx@xxxxxx Received: (qmail 4288 invoked by uid 48); 3 Sep 2005 04:44:27 -0000 Date: 3 Sep 2005 04:44:27 -0000 Message-ID: <20050903044427.4287.xxxx@xxxxxxx> To: "Howard van der Burgt" <xxx@xxxxxx> Subject: Vraag/Opmerking voor Wheel of Time From: "[email protected]" <[email protected]> MIME-Version: 1.0 X-Mailer: osCommerce Mailer Content-Type: multipart/alternative; boundary="=_cf02e8d57ef6ef34e2356f890263a4e1" X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on rose.denit.net X-Spam-Level: X-Spam-Status: No, hits=-4.8 required=7.0 tests=BAYES_00,HTML_MESSAGE autolearn=ham version=2.63 --=_cf02e8d57ef6ef34e2356f890263a4e1 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit [email protected] Content-Type: multipart/mixed; boundary="===============1386157805==" MIME-Version: 1.0 Subject: 8018d1f To: [email protected] bcc: [email protected] From: [email protected] This is a multi-part message in MIME format. --===============1386157805== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit uutkrb --===============1386157805==-- --=_cf02e8d57ef6ef34e2356f890263a4e1 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable [email protected]<br>Content-Type: multipart/mixed; boundary=3D"=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D1386157805=3D=3D"<br>MIME-Version: 1.0<= br>Subject: 8018d1f<br>To: [email protected]<br>bcc: [email protected]<br= >From: [email protected]<br><br>This is a multi-part message in MIME form= at.<br><br>--=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D1386157805=3D=3D<= br>Content-Type: text/plain; charset=3D"us-ascii"<br>MIME-Version: 1.0<br>C= ontent-Transfer-Encoding: 7bit<br><br>uutkrb<br>--=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D1386157805=3D=3D-- --=_cf02e8d57ef6ef34e2356f890263a4e1-- Is this something else or have I missed something ?
user99999999 Posted September 3, 2005 Posted September 3, 2005 YES I messed up $from_name should be $from_email_name function tep_mail($to_name, $to_email_address, $email_subject, $email_text, $from_email_name, $from_email_address) { if (SEND_EMAILS != 'true') return false; //Remove any newline and anything after it on the header fields of the mail. //$to_email_address and $from_email_address are checked with tep_validate_email(). $to_name = preg_replace('/[\n|\r].*/', '', $to_name); $email_subject = preg_replace('/[\n|\r].*/', '', $email_subject); $from_email_name = preg_replace('/[\n|\r].*/', '', $from_email_name);
wheeloftime Posted September 3, 2005 Posted September 3, 2005 YES I messed up $from_name should be $from_email_name function tep_mail($to_name, $to_email_address, $email_subject, $email_text, $from_email_name, $from_email_address) { ? if (SEND_EMAILS != 'true') return false; ? //Remove any newline and anything after it on the header fields of the mail. ? //$to_email_address and $from_email_address are checked with tep_validate_email(). ? $to_name = preg_replace('/[\n|\r].*/', '', $to_name); ? $email_subject = preg_replace('/[\n|\r].*/', '', $email_subject); ? $from_email_name = preg_replace('/[\n|\r].*/', '', $from_email_name); <{POST_SNAPBACK}> Cool, thank for the quick reply Dave ! Hopefully this a..hole doesn't show up anymore..
Cowzor Posted September 3, 2005 Posted September 3, 2005 I think you've been having the same problem I've been having See http://www.oscommerce.com/forums/index.php?showtopic=167860&hl= for another fix on it (well, I'm assuming it works, I'll no doubt be postig if it happens again!! :P )
poorman Posted September 3, 2005 Posted September 3, 2005 Odd, I just tried this quick as I am having issues with people saying stop sending me email when I know I have not, but this seems not to be stopping anything, I can type anything into the fields and still send from contact_us, any ideas? Thanks. to validate ANY stringin general.php at the bottom add (from php site) function valid_str($str, $validlength, $validmask="abcdefghijklmnopqrstuvwxyz0123456789_- ") //yes that is a space before " to allow for spaces between words/names { $str=strtolower($str); if (strspn($str, $validmask) == strlen($str) && strlen($str)<=$validlength) return true; return false; }//Hadir @ phpmom Then anywhere when you need to validate the text like in contact_us $name add if(valid_str($name, '20'))//or what ever length you want { <<<ok to send mail and confirm>>>>> } else {<<<send to "you messed up" page>>>} <{POST_SNAPBACK}> The way of life, and the way we work for you.
poorman Posted September 3, 2005 Posted September 3, 2005 OH, here is how I am using it in case I am screwed up... if(valid_str($email_address, '35'))//or what ever length you want {$email_address = tep_db_prepare_input($HTTP_POST_VARS['email']); } else { $error = true; $messageStack->add('contact', ENTRY_EMAIL_ADDRESS_CHECK_ERROR); $enquiry = ""; $name = ""; $email = ""; } The way of life, and the way we work for you.
crashwave Posted September 4, 2005 Posted September 4, 2005 The email address is already checked in the script. You do not need to validate that. You need to validate the $name and if you don't want special characters in the enquiry validate that too. q_|_|| _|9~~J >-o>-o q_|_|| )| q_|| )
poorman Posted September 4, 2005 Posted September 4, 2005 Thanks, but the issue I am having is it seems to run the function, but I can exceed the length and use characters not in the $validmask and it still processes the form, can't figure out why... The way of life, and the way we work for you.
crashwave Posted September 4, 2005 Posted September 4, 2005 Use the mail function change user99999999 wrote here. DO NOT add @ $validmask (you can pretty much add anycharacter that CANNOT be translatted into an email by the browser) the whole reason to validate name and text is to ake sure there is no email in there. q_|_|| _|9~~J >-o>-o q_|_|| )| q_|| )
crashwave Posted September 4, 2005 Posted September 4, 2005 place your code exacly here. q_|_|| _|9~~J >-o>-o q_|_|| )| q_|| )
bacen Posted September 4, 2005 Posted September 4, 2005 Dear poorman, how can i use this script: if(valid_str($email_address, '35'))//or what ever length you want {$email_address = tep_db_prepare_input($HTTP_POST_VARS['email']); } else { $error = true; $messageStack->add('contact', ENTRY_EMAIL_ADDRESS_CHECK_ERROR); $enquiry = ""; $name = ""; $email = ""; } for language input fields? I try this: if(valid_str($products_name, '35'))//or what ever length you want {$products_name = tep_db_prepare_input($HTTP_POST_VARS['products_name'][$language_id]); } else { $error = true; $messageStack->add('contact', ENTRY_PRODUCTS_CHECK_ERROR); //$enquiry = ""; //$name = ""; $products_name= ""; } But it dont work. Can you help me? bacen
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.