poorman Posted September 4, 2005 Posted September 4, 2005 This is what I am using and is failing to trap. I used the valid_str just as posted also with the same problem. Any help appreciated..... require(DIR_WS_LANGUAGES . $language . '/' . FILENAME_CONTACT_US); $error = false; if (isset($HTTP_GET_VARS['action']) && ($HTTP_GET_VARS['action'] == 'send')) { $_POST['email'] = preg_replace( "/\n/", " ", $_POST['email'] ); $_POST['name'] = preg_replace( "/\n/", "1", $_POST['name'] ); $_POST['email'] = preg_replace( "/\r/", " ", $_POST['email'] ); $_POST['name'] = preg_replace( "/\r/", "2", $_POST['name'] ); $_POST['email'] = str_replace("Content-Type:","",$_POST['email']); $_POST['name'] = str_replace("Content-Type:","",$_POST['name']); if(valid_str($name, '30'))//or what ever length you want { $name = tep_db_prepare_input($_POST['name']); } else { $error = true; $messageStack->add('contact', ENTRY_FIRST_NAME_ERROR); $enquiry = ""; $name = ""; $email = ""; } function valid_str($str, $validlength, $validmask="abcdefghijklmnopqrstuvwxyz0123456789_- ") //yes that is a space before " to allow for spaces between words/names { $str=strtolower($str); $mystr = strlen($str); if (strspn($str, $validmask) == $mystr && $mystr<=$validlength) { return true; } else { return false; }} The way of life, and the way we work for you.
Jan Zonjee Posted September 4, 2005 Posted September 4, 2005 I think you should use: . . . if(valid_str($_POST['name'], '30'))//or what ever length you want { $name = tep_db_prepare_input($_POST['name']); } else { . . $name Has not been initialized yet, so is still NULL IMHO.
poorman Posted September 4, 2005 Posted September 4, 2005 o.k., still working on this, but doing, "if (tep_validate_email($email_address) && tep_valid_str($name, '30')) {" works for looking at bad caracters in the name and stop the sending of email, it seems that I can trap errors before tep_validate_email, but when that runs it ignores all others prior. Still triyng to see why, or rewirte the function for tep_validate_email, or the call to it anyway... The way of life, and the way we work for you.
poorman Posted September 4, 2005 Posted September 4, 2005 This is working for me, changed the tep_validate_email in contact_us, moved and renamed the valid_str function to the validations.php file, added a few extra characters to the $validmask, could clean this up a lot, remove the hard coded strings etc., but now I can validate and return information to the user. if (tep_validate_email($email_address) && tep_valid_str($name, '30') && tep_valid_str($enquiry, '250') && $enquiry !== '') { tep_mail(STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS, EMAIL_SUBJECT, $enquiry, $name, $email_address); tep_redirect(tep_href_link(FILENAME_CONTACT_US, 'action=success')); } else if ($enquiry == ''){ $error = true; $messageStack->add('contact', "Your Message is blank."); $enquiry = ""; $name = ""; $email = ""; } else if (!tep_valid_str($name, '30')){ $error = true; $messageStack->add('contact', "You have illegal characters in your name."); $enquiry = ""; $name = ""; $email = ""; } else if (!tep_valid_str($enquiry, '250')){ $error = true; $messageStack->add('contact', "You have illegal characters in your message."); $enquiry = ""; $name = ""; $email = ""; } } The way of life, and the way we work for you.
bacen Posted September 4, 2005 Posted September 4, 2005 How can i use this for products_name in admin/categories.php? . . . if(valid_str($HTTP_POST_VARS['products_name'][$language_id], '30'))//or what ever length you want { $sql_data_array['products_name'] = tep_db_prepare_input($HTTP_POST_VARS['products_name'][$language_id]); } else { . . but it dont work!
poorman Posted September 4, 2005 Posted September 4, 2005 bacen, I think you should look at doing it here: $pInfo->objectInfo($product); } elseif (tep_not_null($HTTP_POST_VARS)) { $pInfo->objectInfo($HTTP_POST_VARS); $products_name = $HTTP_POST_VARS['products_name']; $products_description = $HTTP_POST_VARS['products_description']; $products_url = $HTTP_POST_VARS['products_url']; } Under : if (isset($HTTP_GET_VARS['pID']) && empty($HTTP_POST_VARS)) { Don't forget you need to add the fuction where the admin can assess it. I'll see what I can do, I was not working on the admin side for this.... The way of life, and the way we work for you.
poorman Posted September 4, 2005 Posted September 4, 2005 One more thing, on the above tep_validate_email change, I also modified the tep_draw_input_field to add maxlength, I am playing with the values to make them as realistic as possible: Example: <tr> <td class="main"><?php echo ENTRY_NAME . " (30 Character Max)"; ?></td> </tr> <tr> <td class="main"><?php echo tep_draw_input_field('name', '', 'size="25" maxlength="30"'); ?></td> </tr> The way of life, and the way we work for you.
Jeremy at oddly enough Posted September 13, 2005 Posted September 13, 2005 I've been having a problem with this for a couple of weeks now. I've put in at least three of the suggested fixes, and I am still getting the odd emails. I've put this into includes/funcions/general.php //// //! Send email (text/html) using MIME // This is the central mail function. The SMTP Server should be configured // correct in php.ini // Parameters: // $to_name The name of the recipient, e.g. "Jan Wildeboer" // $to_email_address The eMail address of the recipient, // e.g. [email protected] // $email_subject The subject of the eMail // $email_text The text of the eMail, may contain HTML entities // $from_email_name The name of the sender, e.g. Shop Administration // $from_email_adress The eMail address of the sender, // e.g. [email protected] function tep_mail($to_name, $to_email_address, $email_subject, $email_text, $from_email_name, $from_email_address) { if (SEND_EMAILS != 'true') return false; //Dont send any injection type mails. if (eregi('Content-Type:', $to_name)) return false; if (eregi('Content-Type:', $email_subject)) return false; if (eregi('Content-Type:', $from_email_name)) return false; if (eregi('Content-Type:', $email_text)) return false; //Remove any newline and anything after it on the header fields of the mail. //$to_email_address and $from_email_address are checked with tep_validate_email(). $to_name = preg_replace('/[\n|\r].*/', '', $to_name); $email_subject = preg_replace('/[\n|\r].*/', '', $email_subject); $from_email_name = preg_replace('/[\n|\r].*/', '', $from_email_name); // Instantiate a new mail object $message = new email(array('X-Mailer: osCommerce Mailer')); // Build the text version $text = strip_tags($email_text); if (EMAIL_USE_HTML == 'true') { $message->add_html($email_text, $text); } else { $message->add_text($text); } // Send message $message->build_message(); $message->send($to_name, $to_email_address, $from_email_name, $from_email_address, $email_subject); } Any more suggestions? Jeremy
superstyling Posted September 13, 2005 Posted September 13, 2005 As far as I know a "mailto:" command can not be hijacked so just to be sure my contact_us.php was not being exploited I did the following: Remove code between <!-- body_text //--> and <!-- body_text_eof //--> and relace with: <table border="0" width="100%" cellspacing="0" cellpadding="0"> <tr> <td> <table border="0" width="100%" cellspacing="0" cellpadding="0"> <tr> <td class="pageHeading"><?php echo HEADING_TITLE; ?></td> </tr> <tr> <td class="main"><?php echo tep_draw_separator('pixel_trans.gif', '10', '1'); ?></td> </tr> <tr> <td class="main"><?php echo TEXT_CONTACT_INFORMATION; ?></td> </tr> <tr> <td class="main"><?php echo tep_draw_separator('pixel_trans.gif', '100%', '10'); ?></td> </tr> </table> </td> </tr> </table> Then in includes/english/contact_us.php at the end of page just before ?> add: STORE_OWNER_EMAIL_ADDRESS . ' </a>');[CODE]define('TEXT_CONTACT_INFORMATION', '<B>General Contact Information</B><BR> ' . STORE_OWNER . '<BR> ' . STORE_NAME_ADDRESS . '<BR> Email: <a href=mailto:' . STORE_OWNER_EMAIL_ADDRESS . '> ' . STORE_OWNER_EMAIL_ADDRESS . ' </a>'); This is a simple fix that still allows customers to make contact using their own email application.
superstyling Posted September 13, 2005 Posted September 13, 2005 Sorry ... includes/languages/english/contact_us.php code should be: define('TEXT_CONTACT_INFORMATION', '<B>General Contact Information</B><BR> ' . STORE_OWNER . '<BR> ' . STORE_NAME_ADDRESS . '<BR> Email: <a href=mailto:' . STORE_OWNER_EMAIL_ADDRESS . '> ' . STORE_OWNER_EMAIL_ADDRESS . ' </a>');
AlanR Posted September 13, 2005 Posted September 13, 2005 As far as I know a "mailto:" command can not be hijacked so just to be sure my contact_us.php was not being exploited I did the following: This is a simple fix that still allows customers to make contact using their own email application. <{POST_SNAPBACK}> Here's another simple fix for those people who can't get the others to work. But I hope people are heeding Vger's advice, make sure your contact form is being hijacked. Just getting email spam doesn't mean anything, I've gotten thousands of spam messages directed to my domain names. These spammers just scrape for domain names and email addresses. I had someone send spam by forging a domain name that I'd only registered 7 days prior. They must have been watching the new registrations. All that said now... Rememember that all a bot has to do is identify a site running osC and bam it knows this url: http://www.somedomain.com/catalog/contact_us.php? So, a quick and dirty fix is to change the name of contact_us.php to something unique. I posted the method here: http://www.oscommerce.com/forums/index.php?sho...ndpost&p=698661 It's not as elegant as a real fix would be but if you've been identified as a target it does make the arrow fail. Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)
Guest Posted September 13, 2005 Posted September 13, 2005 Actually I have a separate contact us page that is changed often in terms of filename while I leave the orignal contact us page as it was but not linked to my shop in anyway. The only difference is the old contact page redirects to search engines right away with the name of my store as a keyword because I do not expect spiders or customers to ever reach it (not linked right). So I use the spammer's bots for keyword exposure (as they know of the contact_us.php) :D
AlanR Posted September 13, 2005 Posted September 13, 2005 Actually I have a separate contact us page that is changed often in terms of filename while I leave the orignal contact us page as it was but not linked to my shop in anyway. The only difference is the old contact page redirects to search engines right away with the name of my store as a keyword because I do not expect spiders or customers to ever reach it (not linked right). So I use the spammer's bots for keyword exposure (as they know of the contact_us.php) :D <{POST_SNAPBACK}> That's clever, I'll remember it. Free and easy SEO. Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)
Guest Posted September 13, 2005 Posted September 13, 2005 Cheers Alan - thats just what I was looking for!
bussieblues Posted September 13, 2005 Posted September 13, 2005 I added the code in the two PHP files and it still going on. I will add the mails and look at the difference in the first mail Content-Type: text/plain; charset="iso-8859-1" No BCC's that makes me happy in the second mail Content-Type: text/plain; charset="us-ascii" there are BCC's Can it be this us-ascii that gives the work around ----- Original Message ----- From: <"[email protected]"@s01.manygreetingsfrom.com>; <[email protected]> To: "SLABBETJES.COM" <[email protected]>; <[email protected]> Sent: Tuesday, September 13, 2005 7:55 PM Subject: Vraag van slabbetjes.com anfssneiv --===============1353895718==--" <[email protected]> MIME-Version: 1.0 X-Mailer: osCommerce Mailer Content-Type: multipart/alternative; boundary="=_100ba3f2e551b7957204ee53769e9d3b" --=_100ba3f2e551b7957204ee53769e9d3b Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit [email protected] --=_100ba3f2e551b7957204ee53769e9d3b Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable [email protected] --=_100ba3f2e551b7957204ee53769e9d3b-- ---- ----- Original Message ----- From: [email protected] To: SLABBETJES.COM Sent: Tuesday, September 13, 2005 7:55 PM Subject: Vraag van slabbetjes.com [email protected] Content-Type: multipart/mixed; boundary="===============1501396979==" MIME-Version: 1.0 Subject: 56701fa To: [email protected] bcc: [email protected] From: [email protected] This is a multi-part message in MIME format. --===============1501396979== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit vdhzfgjtk --===============1501396979==--
tryagain Posted September 13, 2005 Posted September 13, 2005 Where is the suggested places for this code: if(valid_str($name, '20')) //or what ever length you want { <<<ok to send mail and confirm>>>>> } else {<<<send to "you messed up" page>>>} The instructions are very vague about this piece of code. It could also be my mind not working correctly anymore also, been a long day.
Guest Posted September 13, 2005 Posted September 13, 2005 you can install the vvc contribution while you're testing and fixing your scripts. No more bots with that.
Cisco Posted September 13, 2005 Posted September 13, 2005 To make the .htaccess file invisible. What should the settings be for the Owner, Group and All Users?
crashwave Posted September 13, 2005 Posted September 13, 2005 Where is the suggested places for this code: if(valid_str($name, '20')) //or what ever length you want { <<<ok to send mail and confirm>>>>> } else {<<<send to "you messed up" page>>>} The instructions are very vague about this piece of code. It could also be my mind not working correctly anymore also, been a long day. <{POST_SNAPBACK}> if(valid_str($name, '20')) can be used anywhere you want to validate anything not just $name $name can be anything, 20 can be anything valid_str($something, '100', 'abc/\\()%&!?')) don't know if ' will work maybe \' :unsure: q_|_|| _|9~~J >-o>-o q_|_|| )| q_|| )
awisdoms Posted September 14, 2005 Author Posted September 14, 2005 Well the spam mails stopped after I disabled my contact us page for a few days. It stopped for a bit after that and now started back up again. I have applied everyones post including Vger contribution and I still am getting these spam from [email protected]. Anyone else have any other ideas?
Guest Posted September 14, 2005 Posted September 14, 2005 I have applied everyones post including Vger contribution and I still am getting these spam from [email protected]. Anyone else have any other ideas? you installed the vvc contribution and you still getting spam? I really would like to know this.
AlanR Posted September 14, 2005 Posted September 14, 2005 Well the spam mails stopped after I disabled my contact us page for a few days. It stopped for a bit after that and now started back up again. I have applied everyones post including Vger contribution and I still am getting these spam from [email protected]. Anyone else have any other ideas? <{POST_SNAPBACK}> Just a second. I've not really looked at every solution carefully but mostly I've seen code which prevents "remailing" via the contact page. That's to say the bot will generate spam to others by using your site. Even if that is defeated you may still receive an email from your contact page if the bot "hits submit" so to speak. Hopefully you're the only one that gets any form of email. Until the bbot forgets about you or you rename contact_us.php this is gonna happen. Maybe someone who's looked harder at the code or has actually tested their own contact page using the botting technique can help answer this. Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)
Guest Posted September 14, 2005 Posted September 14, 2005 hello Alan, what you say is correct, the reason I mentioned that supplying a visual code as a mandatory entry in the mail forms, should eliminate every bot attempt to send something.
user99999999 Posted September 14, 2005 Posted September 14, 2005 These bots are posting every field on any form it can find so renaming the page doesnt do much good. http://www.laketexoma.com/board/wwwboard.html http://www.kamencomic.com/guestbookform.php http://www.recipecenter.com/guestreg.asp I changed the last 3 to not send mail if there is newlines in those fields vs striping them and sending a safe mail to admin. Since you cant enter a newline in the form it would have to come from some bot. function tep_mail($to_name, $to_email_address, $email_subject, $email_text, $from_email_name, $from_email_address) { if (SEND_EMAILS != 'true') return false; //Dont send any injection type mails. if (eregi('Content-Type:', $to_name)) return false; if (eregi('Content-Type:', $email_subject)) return false; if (eregi('Content-Type:', $from_email_name)) return false; if (eregi('Content-Type:', $email_text)) return false; //Dont send any mail with newlines in these fields. if (preg_match('/[\n|\r]/', $to_name)) return false; if (preg_match('/[\n|\r]/', $email_subject)) return false; if (preg_match('/[\n|\r]/', $from_email_name)) return false;
AlanR Posted September 14, 2005 Posted September 14, 2005 I changed the last 3 to not send mail if there is newlines in those fields vs striping them and sending a safe mail to admin. Since you cant enter a newline in the form it would have to come from some bot. //Dont send any mail with newlines in these fields. if (preg_match('/[\n|\r]/', $to_name)) return false; if (preg_match('/[\n|\r]/', $email_subject)) return false; if (preg_match('/[\n|\r]/', $from_email_name)) return false; <{POST_SNAPBACK}> That makes sense. That way the failed attempts don't even generate an email to the store owner. Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.