Hacking my forms?

Good Oyster

Good Oyster

Perch
I have several websites I've created that use forms for visitors to contact the site owner. I also recieve copies of the emails generated by these form submissions. Lately, several of the sites are getting these weird submissions (see example below). :

This person needs info about Buck Hummer and the Pick-Ups, or they want to schedule an appearance.
Name: pxbw @ buckhummer.com
Address: pxbw @ buckhummer.com
pxbw @ buckhummer.com
City: pxbw @ buckhummer.com Content-Type: multipart/mixed; boundary="===============1511639006==" MIME-Version: 1.0 Subject: 38493bc To: pxbw @ buckhummer.com bcc: Homeiragtime @ aol.com From: pxbw @ buckhummer.com This is a multi-part message in MIME format. --===============1511639006== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit nude --===============1511639006==--
State, Zip: pxbw @ buckhummer.com, pxbw @ buckhummer.com
Email: pxbw @ buckhummer.com
Comments: pxbw @ buckhummer.com
Click to expand...

(In the example I put spaces around the "@" symbols.)

I suppose someone is trying to hack these forms. I have maxlengths set for all inputs, but what is really weird is the "City" field in the example above is limited to 50 characters, yet they obviously put in more than that. Is there anything else I must do to secure these forms from attackers? I am using ColdFusion and the cfmail tag.

Another thing about this - there have ben 5 different sites attacked like this, and everyone of them contain the same info, including the "bcc:Homeiragtime @ aol.com" as part of the "City" data.

If anyone else is seeing this in their forms, or knows how to keep these messages from going through, please reply.

Thanks.
 
you need to check your limitations on the server not the client. Anyone can create their own form and have it post to your script with any data they want and they can have it post every second till the end of eternity. Limiting the number of submissions per an allotted time period per IP address is one way to stop this. You can also use one of those image generators that asks the user to enter in the letters that it spells out and not submit the form if they're wrong (though those kinda suck).
 
I have dealt with this form post hacking problem all weekend on my site, exactly as you describe. This a new email problem really hitting big on the internet the last 2 weeks or so. I have found a solution that works. Here it is.

Let's assume you are using PHP code to capture your form data and email it to you. This jerk is adding extra line breaks and his own email headers so your PHP code sends his spam for him. The solution is to remove the possibility of anyone adding extra line breaks or headers to any input field on your form. Javascript is not enough. I also saw fields on my form with a limit of 5 characters getting flooded with his crap code. Of course you need to have javascript form validation on your site, but the solution should be in the PHP code that sends the email. The PHP code below does this, and also looks for any email address based on my own url. Why does this matter? Because this jerk was sending about 25 requests within 2 minutes with nothing but made-up email addresses in every field. I don't know why, but it got real annyoing after 200 bogus form submissions came through in 2 days. Anyway, here is my code:

$name = trim($_REQUEST['name']);
if (eregi("\r",$name) || eregi("\n",$name) || eregi("MIME-Version:",$name) || eregi("@mover-quest.com",$name)){
die();
}

The first line captures the data from the form on the site, and puts it in a variable called $name (which contains the exact data entered from the site user with extra spaces trimmed away). Then I check to see if $name contains \r or \n (carriage return and line feed) or MIME-Version: or an email address from my site. If so, die(), which basically shuts down the form submission process before it's sent, and the spammer sees nothing but a blank white screen. You would add this code for every variable.

This code is better than other code I have seen that only strips out the \r and \n because that other code did work but I was still getting the bogus hacking attempts. This code never even tells me there was an attempt. This jerk could be hitting my site 200 more times and I'll never have to see it.

There is one last bit of code I added that was useful. I noticed sometimes he submitted nothing but empty values in every field. There is no bad code to strip out, but I still have to delete dozens of empty emails. I do have javascript that requires certain fields to be filled out. For anyone getting past that, I needed a test to look for empty fields that should contain some data, and if so I assume its the hacker, so die(). Here it is:

if ($name == ""){
die();
}

I only use this last code for a couple of variables that have required fields on my form, like the name field. I had to protect myself from every possible way he could abuse my form, and I think this is it. This catches everything without bothering me at all. Perfect.
 
Thanks, Mav.
I've been considering a similar solution in ColdFusion - basically server side validation. I already check for the required fields using server side code (since not everyone has javascript working), so I just have to figure out the same type of code you used to check for carriage returns, etc. I'm trying to build the code as generic as possible so I can just plug it in to my forms from now on, and maybe only have to change a couple of things.

Oh, and welcome to the forums!

Gary
 
I've seen the exact same thing on several of my sites the last few weeks. For me it seems to come in batches of 5 or 6 bogus form submits.

I initially added IP logging, and had my ISP block those. But then it happens again from a different IP, so that doesn't work. As noted above, you need to trap this on the server end. I do something very similar using ASP.

What I don't understand is what this hack is attempting to do. However, I did find a few things:

* This is not an interactive form post. UserAgent is reported as Java. So most likely a script is submitting the data.

* He seems to be trying to insert multipart data into fields - possibly some sort of buffer overflow attempt? I just drop everything after the first 25 characters before processing the field, so hopefully that should stop the overflow.

* In my case, a form with 6 fields generates 6 bogus emails. So I'm guessing he's automatically parsing the form, and attempting to insert multipart data into each field in turn.

* He is faking the "Referrer" header in case you are checking on that.

Anyone have any idea what the intended purpose is? Have you verified if he's actually able to relay spam this way?
 
I am working on a docuemtn about this, basically people are abusing google to find such forms, and then trying to hack with them, ASP upload forums are particularly vulnerable.
 
those vulnerabilities are more of a result of unqualified people creating forms, or should I say code generators creating forms, that aren't secure. All forms could and should be secure, but people are either too lazy to do so, or don't know how to.
 
Stephen
I'd be very interested in seeing the doc when you're ready. Right now this is more of an annoyance, but it does seem to be hitting more of my forms. All my ASPUpload forms are password protected, so hasn't hit there yet. The forms that have mainly been hit are using the SMTPsvg.Mailer component, but i don't see how that would be visible to hackers.
 
jonyah said:
those vulnerabilities are more of a result of unqualified people creating forms ....
Click to expand...

Jonyah, I beg to differ. You're probably right that there are a lot of unsecure auto-generated forms out there, but all of mine are hand-coded, have validation client side and server side, yet are being repeatedly hit. My suspicion is that they are looking for server vulnerabilities, probably the buffer overflow trick where you send a huge amount of data in a form field hoping to cause the server to crash and reveal other vulnerabilities. My host (not Jodo for the affected forms) assures me that no spam is being relayed through my domain because of this.

In case it's of value to anyone else, here's the steps I take on all forms:
1) client-side checks for blank required fields (inc. basic validation for email fields, and IsNAN for number fields)
2) all input fields have maxlength="nnn" set to reasonable minimum values
3) server side, the first thing I do is store all fields to variables, again dropping anything over the maxlength (eg with ASP: name = left(request.form("name"), 25)
4) then do any other validity checking of fields before taking any action (ie: send email or write to db)

I used to check HTTP_Referer, but this caused problems with valid users on some Macs, and with Norton, so this is no longer an option. This hack has obviously anticipated this, since it fakes the referer header (incorrectly, as it turns out).

Unfortunately, since this hack puts bogus emails in most fields, it still passes most of my checks. I'm going to try the fix suggested above, dropping any forms that send me my own domain name as part of the email.
 
You must log in or register to reply here.
Back
Top