Script kiddie attempt to abuse "Contact Us" Page

[Cowzor]

I realise you're not supposed to post external links but this does seem important

http://www.anders.com/cms/75/Crack.Attempt/Spam.Relay

 

I just had 4 emails come through from someone attempting to do exactly this with my "Contact Us" page

 

I'm wondering are the fields in that form checked to stop them accepting commands from the text entered into the Form Fields?

 

It was the same person a lot of people on that website have also had problems with, bergkoch8@aol.com

 

Is it enabled/ disabled in OSCommerce? I'm using MS2.2

 

I've had them back twice over the last few days. I don't want to wind up on an internet-spammers blacklist!

[Darklings]

Yeah, i wonder about this too... i got 'attacked' to it seems - didnt even came up to me there was a security problem with the contactpage ... This should be pinned somewhere - with a good explanation on how to resolve this - i got two mails comming trough my contactpage to like the one discribed in your link. But i didnt put much attention to it since i thought it must been from a spider or something cause i didnt even had a 'submit' button on that contactpage ...

 

one of the mails i got was:

 

dxntob@website.be

Content-Type: multipart/mixed; boundary="===============1392243453=="

MIME-Version: 1.0

Subject: 46c38077

To: dxntob@website.be

bcc: bergkoch8@aol.com

From: dxntob@website.be

 

This is a multi-part message in MIME format.

 

--===============1392243453==

Content-Type: text/plain; charset="us-ascii"

MIME-Version: 1.0

Content-Transfer-Encoding: 7bit

 

azfaoi

--===============1392243453==--

 

 

What and how can we do something about this...???

 

 

Kind regards

[Guest]

There is a fix posted in Bug Reports

 

Matti

[Jan Zonjee]

There is a fix posted in Bug Reports

Isn't this the same vulnerability Steve Lionel had a fix for?

[Darklings]

Okey, thnx johnson

[Jan Zonjee]

To me it looks likes this is something different then the cross-site scripting that was reported before (and to which the reported fixes reacted). Just to be on the safe site I changed our contact_us.php to get rid of new line characters and the string "Content-Type:" (starts around line 17):

  $error = false;
 if (isset($HTTP_GET_VARS['action']) && ($HTTP_GET_VARS['action'] == 'send')) {
 // http://www.anders.com/cms/75/Crack.Attempt/Spam.Relay
 
$_POST['email'] = preg_replace( "/\n/", " ", $_POST['email'] ); 
$_POST['name'] = preg_replace( "/\n/", " ", $_POST['name'] ); 
$_POST['email'] = preg_replace( "/\r/", " ", $_POST['email'] ); 
$_POST['name'] = preg_replace( "/\r/", " ", $_POST['name'] ); 
$_POST['email'] = str_replace("Content-Type:","",$_POST['email']); 
$_POST['name'] = str_replace("Content-Type:","",$_POST['name']); 
 
   $name = tep_db_prepare_input($_POST['name']);
   $email_address = tep_db_prepare_input($_POST['email']);
   $enquiry = tep_db_prepare_input($_POST['enquiry']);

Note that in the last three lines I changed HTTP_POST_VARS to $_POST, otherwise this wasn't working. The $_POST array seems to be independent of HTTP_POST_VARS when you start changing them.

 

Perhaps it is even wiser to use:

 $_POST['email'] = str_replace("content-type:","",strtolower($_POST['email']));

but I haven't tried that.

[Darklings]

I did what you sugested JanZ - but is there a way i can check if i'm safe now? I mean - how can we know for sure... i heard rumours of the same can happen with the checkout pages (the comment there).

 

This is all new to me realy, but a 'w00t' error msg popping up if you type something in the url, i guess thats all doable... but is there actualy something they can do?? Imho, and in my personal case - the only 'bad' thing they can do is get into my admin... right? Or am i totaly wrong here....

 

Thnx,

kind regards,

tom

[Jan Zonjee]

is there a way i can check if i'm safe now?

From what I understand you would be OK if new lines (\n, LF, hexadecimal 0A) and carriage return (\r, CR, hexadecimal 0D) are removed. Lines in the headers of an email are separated with a \r\n and if they are taken out you would be safe because the formatting is wrong.

 

To test if what I posted works, I used cURL on the command line (comes with a Mac I believe, at least I have it available in the terminal window) and found that the following curl command will replace the \r (%0A as it is urlencoded) in a 2 and the \n (%0D urlencoded) in a 1. For that I changed the code a little bit to use a 2 and a 1 respectively for the replace instead of a space:

 $_POST['email'] = preg_replace( "/\n/", " ", $_POST['email'] ); 
$_POST['name'] = preg_replace( "/\n/", "1", $_POST['name'] ); 
$_POST['email'] = preg_replace( "/\r/", " ", $_POST['email'] ); 
$_POST['name'] = preg_replace( "/\r/", "2", $_POST['name'] ); 
$_POST['email'] = str_replace("Content-Type:","",$_POST['email']); 
$_POST['name'] = str_replace("Content-Type:","",$_POST['name']);

 

This is the curl command:

 

curl -d "name=John+Spammer%0D%0AContent-Type%3A%0D%0A&email=spammer%40hotmail.com&enquiry=none" www.yourdomain/catalog/contact_us.php?action=send -v -L

The -d is for a post operation, the -v for verbose so you will see some exchanges going on between the server and your computer and the -L is to tell curl it can follow the redirect (to contact_us.php?action=success.

 

If everything works well you get a mail from John Spammer2121 <spammer@hotmail.com>

Imho, and in my personal case - the only 'bad' thing they can do is get into my admin... right? Or am i totaly wrong here....

And get all your data through a db_backup, then delete all the files there etc. etc. That is a pretty major disaster scenario. Actually, what can happen is that your website is used for sending out spam. That could a. cost a substantial amount of bandwidth and might cost you money and b. it could mean your domain gets blacklisted meaning email from your site never reaches the client. Not good for business.

[Guest]

One other thing I did to eliminate spambots that automatically process these forms, was to add the security code verification contribution.

[Jan Zonjee]

One other thing I did to eliminate spambots that automatically process these forms, was to add the security code verification contribution.

<{POST_SNAPBACK}>

Sure that helps, but captchas can be defeated, either using a computer program or as was pointed out on Slashdot recently using unsuspecting humans:

Easiest way to Defeat Captchas (Score:4, Interesting)

by Bondolo (14225) on Wednesday August 24, @01:53PM (#13390917)

 

1. Put up a "free" pr0n site.

2. Require visitors to the pr0n site to process a captcha before viewing the pr0n. In reality they are proxy processing a captcha for another site (paypal, hotmail, yahoo, etc.) which they never see.

3. Profit!

 

Captchas are next to useless and for the visually impaired very frustrating. One more of a example of a technology which annoys everyone and yet doesn't really stop the determined miscreant. <cough>airport shoe inspections</cough>

[Darklings]

Hi JanZ and everyone else,

 

OR this is something totaly different, or the problem hasnt been solved by JanZ's solution.. But i got another email send trought the contact_us page this morning.

 

sjia@mydomain.be

Content-Type: multipart/mixed; boundary="===============1338834338=="

MIME-Version: 1.0

Subject: b02e3518

To: sjia@mydomain.be

bcc: jrubin3546@aol.com

From: sjia@mydomain.be

 

This is a multi-part message in MIME format.

 

--===============1338834338==

Content-Type: text/plain; charset="us-ascii"

MIME-Version: 1.0

Content-Transfer-Encoding: 7bit

 

rtdau

--===============1338834338==--

 

 

:( i heard many had something simular - i realy wonder what all this is about... why its been done, and what they can do with it..

[Zuncan]

I found exactly the same problem this morning. Seems like my site has been hacked..

Im getting emails sent from my site..

 

Looks like this:

 

sqvvvnul@mydomain.com

Content-Type: multipart/mixed; boundary="===============0302808415=="

MIME-Version: 1.0

Subject: fc78ab94

To: sqvvvnul@mydomain.com

bcc: jrubin3546@aol.com

From: sqvvvnul@mydomain.com

 

This is a multi-part message in MIME format.

 

--===============0302808415==

Content-Type: text/plain; charset="us-ascii"

MIME-Version: 1.0

Content-Transfer-Encoding: 7bit

 

egbmzocuww

--===============0302808415==--

 

 

Is there a fix to this problem? Maybe a contribution?

Im kinda desperate..

[Guest]

did you look at the Bug Reports as Johnson commented about above?

[Zuncan]

Yep, but as Im not a coding-guru, Im not sure what he means..

 

Would be great with some proper instructions like:

 

Find code:

xxxxxxxx

 

Replace with:

xxxxxxxxxx

[Guest]

did you look at the Bug Reports as Johnson commented about above?

<{POST_SNAPBACK}>

That bug report is about a "Cross Site Scripting" problem.

 

But this certainly is a different problem! I think it's called "Email header injection".

[Guest]

This bug report comes closer I think (allthough it uses create_account as example i.s.o. contact_us):

http://www.oscommerce.com/community/bugs,2488

[Darklings]

Looks different as the bugreport: ([EDIT: meant for a higher post, not panda's latest..he was just faster then my reply])

 

http://www.anders.com/cms/75/Crack.Attempt/Spam.Relay

 

 

this is the same as i get - from the same email 'aol' thingy's....

 

I think this should be looked into imediatly by some advanced php coders to secure this issue.. cause apparantly i'm not the only one having this problem - but lots of people..

 

Also - it looks like i'm being scanned or something.. Using the visitor stats (from Ian) i see intries for 0 seconds, only one click , and directly to the contact_us.php page followed by a oscid..

 

/contact_us.php?action=se

nd&osCsid=9fa549ad8430821

e71a7dbe0a7be9c06

 

I got 5 attempts of these today alone from different ip-adresses comming from korea, china, germany and the netherlands.

 

Does it has todo something with this too?

 

Kind Regards,

tom

[Jan Zonjee]

That bug report is about a "Cross Site Scripting" problem.

 

But this certainly is a different problem! I think it's called "Email header injection".

<{POST_SNAPBACK}>

Exactly. In my opinion what Zuncan and Tom/Darklings see is a script attack that tries to do an email header injection but is not doing it in a way to be successful with osC code. That may come, so therefore the cleaning of the name and email from CRLF characters is important to prevent it.

 

I haven't checked it out, but there is a contribution for it now (Validate input).

 

If you don't want to see those email from automated scripts, you can stop 99.99% of them by using captcha's. I haven't tried this particular script, but something like Visual Verify Code (VVC) security comes to mind.

[Dragonmom]

Exactly. In my opinion what Zuncan and Tom/Darklings see is a script attack that tries to  do an email header injection but is not doing it in a way to be successful with osC code. That may come, so therefore the cleaning of the name and email from CRLF characters is important to prevent it.

 

I haven't checked it out, but there is a contribution for it now (Validate input).

 

If you don't want to see those email from automated scripts, you can stop 99.99% of them by using captcha's. I haven't tried this particular script, but something like Visual Verify Code (VVC) security comes to mind.

<{POST_SNAPBACK}>

 

I've downloaded this contrib, and entered in into functions/general.

My dummy question- in his directions, he says:

add if(valid_str($name, '20'))//or what ever length you want

What "whatever length I want"- do I want? Is that the length of the validmask string?

Or is it the min length for addresses?

[YongS]

I've downloaded this contrib, and entered in into functions/general.

My dummy question- in his directions, he says:

What "whatever length I want"- do I want? Is that the length of the validmask string?

Or is it the min length for addresses?

 

Do not worry about that, I guess it works now.

[Silverado05]

Do not worry about that, I guess it works now.

 

I would say so since that last response was 2 yrs ago.

[Historian]

Is this still a problem or have osC updates covered this?

I'm using version 2.2 -MS2

[skimak77]

Is this still a problem or have osC updates covered this?

I'm using version 2.2 -MS2

 

still a problem

[Guest]

This might be slightly off topic but I thought better than starting a new thread. I had a whole crapload of emails from my contact us form this morning. I admit I'm not an expert in exploiting this kind of stuff but I can't think what they're probing for here... anyone got any ideas?

 

pqCdVN _a href="http://gsnqqklvqpiz.com/"_gsnqqklvqpiz_/a_, ubrpphzxsymo, [link=http://fqhsyzzqmity.com/]fqhsyzzqmity[/link], http://rsyueflcqcat.com/

 

GDJse4 _a href="http://urzcyprenwhj.com/"_urzcyprenwhj_/a_, djrvsfyctgwn, [link=http://dvuqcvqtmmyz.com/]dvuqcvqtmmyz[/link], http://rvflwbnudgac.com/

 

YKxMQJ _a href="http://ikmrjywzkakk.com/"_ikmrjywzkakk_/a_, yhrjyuhehawf, [link=http://wmqpovhmvmea.com/]wmqpovhmvmea[/link], http://oqqozkhxtdaa.com/

 

And so on....

[Guest]

This might be slightly off topic but I thought better than starting a new thread. I had a whole crapload of emails from my contact us form this morning. I admit I'm not an expert in exploiting this kind of stuff but I can't think what they're probing for here... anyone got any ideas?

What osc 2.2 version are you using, and have you installed the latest security patches?