E-Scribe News : a programmer’s blog

About Me

PBX My name is Paul Bissex, and e-scribe.com is my consulting business. I build web applications using as much open source software as possible. From September to June I teach web design and other important non-photographic professional skills to photographers. In the '90s I wrote technology commentary and reviews for magazines, newspapers, and web publications, including Wired, Salon.com, FamilyPC, the late lamented Web Review, and the Chicago Tribune. Feel free to email me.

Colophon

This runs on Django, served by Apache and mod_python. The database is SQLite. The operating system is FreeBSD, on a VPS hosted at Johncompanies.com. Comment-spam protection by Akismet. Vintage topo imagery from the Maptech archive. The markup engine is Markdown.

The Book

Book cover I'm co-author of "Python Web Development with Django", an excellent guide to my favorite web framework. Published by Addison-Wesley in October 2008, it is available from Amazon and your favorite technical bookstore as well. Click on the book title above to learn more.

Pile o'Tags

ajax apple blogs browsers business design django ebay fp fun google hardware haskell intellectual property iphone javascript linux media mobile open source os x oscon oscon2007 palm php programming python rails rants reading risks ruby site spam textmate the well tips vcs web development web frameworks webservers wmassdevs

Stuff I Use

Akismet, del.icio.us, Django, dpaste.com, Emacs, FreeBSD, Freenode, jQuery, LaunchBar, MacPorts, Markdown, Mercurial, OS X, Postfix, Python, SQLite, Subversion, TextMate, Trac, Ubuntu Linux, wmii

Spam Report

At least 45528 pieces of comment spam killed since January 12th, mostly via Akismet.

Form hijacking

Does your website contain mail forms that aren't sanitizing input as aggressively as they should? There seems to have been a recent surge in automated (or semi-automated, it's hard to tell) probes and exploits of form mail scripts, all revolving around injecting headers into sent mail.

Here's how it works: Let's say you have a form that allows the user to enter their email address. The black hat's exploit script submits a value for that field that includes a newline, followed by whatever email headers they want to insert: Bcc, for example, or even full-blown MIME-encoded parts.

This is especially a problem in PHP because what's commonly thought of as the "From" parameter to the mail() function is actually an "additional headers" parameter. It accepts a single string containing an arbitrary number of headers separated by newlines -- which the spammers are happy to provide.

The defense is very basic input scrubbing (or bulletproof validation of From addresses) that you'd think would already be in place everywhere, but I was surprised to find several forms on my various sites that were vulnerable to this -- in some cases forms that had been online for several years with zero abuse.

Rather than cast about for the perfect email address validator, I changed the form processing scripts to strip newlines from user input. That's enough to prevent hijacking, but not enough to prevent incredible annoyance, since some forms were being probed dozens of times a day, filling up my spambox with garbled mail. So I added a second check that simply rejects any submission if the string "MIME-Version" is in any of the submitted fields. Crude but effective.

Damon Kohler's "Secure PHP" site has a more detailed explanation of this type of exploit.

Tuesday, November 15th, 2005
+ + +
1 comment

Some related posts: Protecting the server with mod_evasiveLibrary of 1000 scammy spamsSpam, del.icio.us spamI filled up my GMail boxComcast's blacklistAkismet anti-comment-spamTrac spamMore quick-not-dirty PHPRapidWeaver spamming vulnerabilityQuick, but not dirty, PHP
Comment from web design blog , 2 years later

They like to inject forms and enter tons of characters in attempts to break the page. You can add filters, and even things like mod_security for enhanced protection. However, I am still looking for a way to be able to monitor this kind of thing on the server level.

Post a comment

Comments use Markdown syntax. Your comment will not appear until approved, which may take a few hours or more. Spammers will be torpedoed.


(Will not be shared)

(Optional)