[Oscailt] Re: [Imc-ireland-tech] argh, spamgateway

[chekov]

Kino wrote:

> I sent this message to the list, but it probably got stopped by the 
> spam filter, so i have removed the quoted spam below. note that the 
> message itself is being sent as $email, it's between the ( mailto: ).
>
> I'm not sure how this is working to cause the bcc header to be read by 
> the mta.
>
>
> ---------------------------------
> Contact.php is a spam gateway.
> I just got hit by it.
>
> $_REQUEST['email'] being passed without checks to mail() seems to allow
> the attacker to add headers (in this case bcc:) to the email.
>
> a disaster.
>
> Will post a fix, but i'm up to my eyes, hope someone else can look at 
> it, just a simple referrer check would suffice i imagine,
>
> This is the message that was POSTed
>

Hi Kino,

Nice one for spotting this.  Indymedia Ireland has been getting hit by 
this as well.

I've inserted a fix into the oscailt code (back ported from 3.0)  on 
indymedia ireland, it checks to make sure that the email address entered 
is vaguely similar to a valid email address or refuses posting.  It can 
be added at the end of the contact.php replacing the existing text from 
if($_REQUEST['send_message']!=null) onwards. We should send around a 
patch once we're sure that this solves the problem.

I reckon that the exploit involves a remote hacker sending a request 
with an embedded, encoded newline in the email field and a list of bcc: 
addresses following it.  I'm not sure if it worked though, but the 
update should fix it.

Chekov

++++++++

function isValidEmailAddress($addy)
{
   if (empty($addy)) return false;
   if 
(!preg_match('/^[a-zA-Z0-9&\'\.\-_\+]+\@[a-zA-Z0-9\.-]+\.+[a-zA-Z]{2,6}$/', 
$addy))
   {
      return false;
   }
   return true;
}


if($_REQUEST['send_message']!=null)
{
        if(strlen(trim($_REQUEST['name']))==0) writeError("You must 
specify your name!");
        else if(strlen(trim($_REQUEST['email']))==0) writeError("You 
must specify your email address!");
        else if(strlen(trim($_REQUEST['subject']))==0) writeError("You 
must specify the subject!");
        else if(!isValidEmailAddress($_REQUEST['email'])) 
writeError("You must provide a valid email address. " . 
htmlspecialpecialchars($_REQUEST['email'], ENT_QUOTES)." is not a valid 
address.");
        else if(strlen(trim($_REQUEST['message']))==0) writeError("You 
must include a message!");
        else
        {
                $subject = str_replace("\n", " ", $_REQUEST['subject']);
                $name = str_replace("\n", " ", $_REQUEST['name']);
                
sendContactMessage($name,$_REQUEST['email'],$subject,$_REQUEST['message']);
                ?><BR><BR><center><big><B>Your message has been 
submitted!</B></big></center><BR><BR><?
        }
}
else writeContactForm();
require_once("footer.inc");
?>