[ciapug] Re: Re: php mail injection attack
parksmike at dwx.com
parksmike at dwx.com
Wed Dec 14 12:08:40 CST 2005
Yeah I know I didn't change the subject line. My bad..
<><><><><><><><><><><><><><><>
Mike Parks
----- Original Message -----
From: ciapug-request at cialug.org [mailto:ciapug-request at cialug.org]
Sent: 12/14/2005 12:00:04 PM
To: ciapug at cialug.org
Subject: ciapug Digest, Vol 8, Issue 7
> Send ciapug mailing list submissions to
> ciapug at cialug.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://cialug.org/mailman/listinfo/ciapug
> or, via email, send a message with subject or body 'help' to
> ciapug-request at cialug.org
>
> You can reach the person managing the list at
> ciapug-owner at cialug.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of ciapug digest..."
>
>
> Today's Topics:
>
> 1. Re: ciapug Digest, Vol 8, Issue 6 (parksmike at dwx.com)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 13 Dec 2005 15:20:13 -0600
> From: "parksmike at dwx.com" <parksmike at dwx.com>
> Subject: [ciapug] Re: ciapug Digest, Vol 8, Issue 6
> To: ciapug at cialug.org
> Message-ID: <99b09bdf47fa45e796364ac18509ca22.parksmike at dwx.com>
> Content-Type: text/plain; charset=iso-8859-1
>
> I've been working on this class file to send email and do some intrusion detection. I allow a Bcc or CC that is programmed in Most of the time I have it commented out. I have an outside function that checks the address format, and does an MX lookup to verify the domain. I will be moving it into this function in the future.
> <?php
> class Email{
> function SendMail(){
> $boundary = "b".md5(uniqid(time()));
> $Message = stripslashes($this->Message);
> $headers .= "From: ".$this->FromMail."\n";
> $headers .= "Cc: ".$this->CcMail."\n";
> $headers .= "Bcc: ".$this->BcMail."\n";
> $headers .= "Return-Path: ".$this->FromMail."\n";
> $headers .= "X-Rcpt-To: ".$this->FromMail."\n";
> $headers .= "X-Priority: 3\n";
> $headers .= "X-MSMail-Priority: Normal\n";
> $headers .= "X-Mailer: PHP Mailer\n";
> $headers .= "Origin: ". $_SERVER['REMOTE_ADDR']."\n";
> $response = array($this->FromMail, $this->ToMail, $this->Subject, $headers);
> foreach($response as $key=>$value){
> if (stristr($value,"cc:")) {
> $response .= <<<EOD
> <h2><font color="red">Intrusion detection!</font></h2>
> <p>Possible intrusion script detected. The following IP address<br> was detected sending invalid reponses to this email script. <br><strong>{$_SERVER['REMOTE_ADDR']}</strong> has been recorded for tracking.</p>
> EOD;
> print $response;
> error_log("Intrusion detected on <DOMAIN> IP Address:" . $_SERVER['REMOTE_ADDR'],1,"email at domain.com");
> exit();
> }
> }
> mail($this->ToMail, $this->Subject, $Message, $headers) or die("Message could not be sent");
> }
> }
> ?>
>
> <><><><><><><><><><><><><><><>
> Mike Parks
>
> ----- Original Message -----
> From: ciapug-request at cialug.org [mailto:ciapug-request at cialug.org]
> Sent: 12/13/2005 12:00:03 PM
> To: ciapug at cialug.org
> Subject: ciapug Digest, Vol 8, Issue 6
>
> > Send ciapug mailing list submissions to
> > ciapug at cialug.org
> >
> > To subscribe or unsubscribe via the World Wide Web, visit
> > http://cialug.org/mailman/listinfo/ciapug
> > or, via email, send a message with subject or body 'help' to
> > ciapug-request at cialug.org
> >
> > You can reach the person managing the list at
> > ciapug-owner at cialug.org
> >
> > When replying, please edit your Subject line so it is more specific
> > than "Re: Contents of ciapug digest..."
> >
> >
> > Today's Topics:
> >
> > 1. php mail injection attack (Barry Von Ahsen)
> > 2. Re: mysqli prepared statements (Scott Phillips)
> > 3. Re: mysqli prepared statements (Dave J. Hala Jr.)
> > 4. RE: mysqli prepared statements (Carl Olsen)
> > 5. Re: mysqli prepared statements (Tim Champion)
> > 6. RE: mysqli prepared statements (Carl Olsen)
> >
> >
> > ----------------------------------------------------------------------
> >
> > Message: 1
> > Date: Mon, 12 Dec 2005 15:29:15 -0600
> > From: Barry Von Ahsen <barry at vonahsen.com>
> > Subject: [ciapug] php mail injection attack
> > To: ciapug at cialug.org
> > Message-ID: <439DEBAB.8010702 at vonahsen.com>
> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> >
> > one of my contact forms was being used to spam via php mail injection, I
> > thought the group may benefit from the knowledge/solution
> >
> > this is the page everyone else links to about the subject:
> > http://securephp.damonkohler.com/index.php/Email_Injection
> >
> > basically, anywhere you pass form variables to be used in the header of
> > mail() [e.g. from or subject], you can pass line feeds to the form, and
> > insert your own headers like so:
> >
> > $_POST['from'] = "spammer at scumbag.com\n bcc: unlucky1 at recipient.com,
> > unlucky2 at adslfkj.com, \n lemme tell ya bout these blue pills..."
> >
> > anyhow, here is an easy function to sanitize your fields - it just
> > strips out all line feeds from the post vars. I'm calling it like
> >
> > $from = stripcrlf($_POST['from']);
> > $subject = stripcrlf($_POST['subject']);
> >
> > %0A and %0D are \n and \r urlencoded
> >
> > /* ------------------------------------------- */
> > function stripcrlf($string) {
> > /* ------------------------------------------- */
> > return
> > preg_replace("/%0A/","",preg_replace("/%0D/","",preg_replace("/\\n+/","",preg_replace("/\\r+/","",$string))));
> > }
> >
> >
> > -barry
> >
> >
> >
> >
> >
> >
> > ------------------------------
> >
> > Message: 2
> > Date: Mon, 12 Dec 2005 16:12:22 -0600
> > From: Scott Phillips <scott.phillips at DRAKE.EDU>
> > Subject: Re: [ciapug] mysqli prepared statements
> > To: ciapug at cialug.org
> > Message-ID: <5.2.0.9.0.20051212160425.0233f578 at mail.drake.edu>
> > Content-Type: text/plain; format=flowed; charset=us-ascii
> >
> > I think the resounding silence following your question can be translated
> > into, "No. We don't know."
> >
> > Regarding your current approach... Do you lock the table before the insert
> > and unlock it after you select the max id? Otherwise, another record could
> > be inserted between the two and you'll end up with the wrong id. That's how
> > I do it, anyway. Is there a better way?
> >
> >
> >
> > At 10:26 AM 12/10/2005 -0600, you wrote:
> > >Does anyone know if you can use the mysqli->insert_id inside a prepared
> > >statement to get the id of the record that has just been inserted?
> > >
> > >I'm doing it with a select statement which uses the same parameters as the
> > >insert statement and selects "MAX(id) AS id" as the output parameter. It
> > >works, but it's easy to make an error when typing it in.
> > >
> > >Carl
> > >http://www.carl-olsen.com/
> > >
> > >_______________________________________________
> > >ciapug mailing list
> > >ciapug at cialug.org
> > >http://cialug.org/mailman/listinfo/ciapug
> >
> >
> >
> > ------------------------------
> >
> > Message: 3
> > Date: Mon, 12 Dec 2005 16:51:08 -0600
> > From: "Dave J. Hala Jr." <dave at 58ghz.net>
> > Subject: Re: [ciapug] mysqli prepared statements
> > To: PHP List <ciapug at cialug.org>
> > Message-ID: <1134427868.13267.74.camel at dsl-69.marshallnet.com>
> > Content-Type: text/plain
> >
> > You could add a "random number" field to your table. Then generate a
> > large random number and add to your insert. Then query for the record id
> > that matches the random number you inserted.
> >
> > Like this:
> >
> > INSERT mytable (data,random) values ('$data',$random_number');
> >
> > Then
> >
> > SELECT id from mytable WHERE random='$random_number';
> >
> > Not terribly elegant -but it would work.
> >
> > :) Dave
> >
> >
> >
> > On Mon, 2005-12-12 at 16:12, Scott Phillips wrote:
> > > I think the resounding silence following your question can be translated
> > > into, "No. We don't know."
> > >
> > > Regarding your current approach... Do you lock the table before the insert
> > > and unlock it after you select the max id? Otherwise, another record could
> > > be inserted between the two and you'll end up with the wrong id. That's how
> > > I do it, anyway. Is there a better way?
> > >
> > >
> > >
> > > At 10:26 AM 12/10/2005 -0600, you wrote:
> > > >Does anyone know if you can use the mysqli->insert_id inside a prepared
> > > >statement to get the id of the record that has just been inserted?
> > > >
> > > >I'm doing it with a select statement which uses the same parameters as the
> > > >insert statement and selects "MAX(id) AS id" as the output parameter. It
> > > >works, but it's easy to make an error when typing it in.
> > > >
> > > >Carl
> > > >http://www.carl-olsen.com/
> > > >
> > > >_______________________________________________
> > > >ciapug mailing list
> > > >ciapug at cialug.org
> > > >http://cialug.org/mailman/listinfo/ciapug
> > >
> > > _______________________________________________
> > > ciapug mailing list
> > > ciapug at cialug.org
> > > http://cialug.org/mailman/listinfo/ciapug
> > --
> >
> > Open Source Information Systems, Inc. (OSIS)
> > Dave J. Hala Jr., President <dave at osis.us>
> > 641.485.1606
> >
> >
> >
> > ------------------------------
> >
> > Message: 4
> > Date: Mon, 12 Dec 2005 20:02:13 -0600
> > From: "Carl Olsen" <carl-olsen at mchsi.com>
> > Subject: RE: [ciapug] mysqli prepared statements
> > To: <ciapug at cialug.org>
> > Message-ID: <00a501c5ff89$3c6c7370$1c00a8c0 at workstation8>
> > Content-Type: text/plain; charset="us-ascii"
> >
> > In SQL Server there is a function I can use to return the id number of the
> > record using a stored procedure, but I haven' figured out how to do it with
> > MySQLi prepared statements (using MySQL 4.1). I haven't tried using MySQL
> > stored procedures yet (MySQL 5), so maybe there's a function for it. The
> > stupid book I'm reading suggested the MAX(id) method, feeding in the
> > parameters that were just used to create the insert statement to make it
> > hard to return the wrong id (using the same parameters in the WHERE clause).
> > I can see why the book thinks this is a better method than simply requesting
> > the MAX(id), but I like the way SQL Server does it much better. Since
> > MySQLi has a function for insert_id, it seems to suggest there would be
> > something similar for a MySQLi prepared statement.
> >
> > -----Original Message-----
> > From: ciapug-bounces at cialug.org [mailto:ciapug-bounces at cialug.org] On Behalf
> > Of Scott Phillips
> > Sent: Monday, December 12, 2005 4:12 PM
> > To: ciapug at cialug.org
> > Subject: Re: [ciapug] mysqli prepared statements
> >
> > I think the resounding silence following your question can be translated
> > into, "No. We don't know."
> >
> > Regarding your current approach... Do you lock the table before the insert
> > and unlock it after you select the max id? Otherwise, another record could
> > be inserted between the two and you'll end up with the wrong id. That's how
> > I do it, anyway. Is there a better way?
> >
> >
> >
> > At 10:26 AM 12/10/2005 -0600, you wrote:
> > >Does anyone know if you can use the mysqli->insert_id inside a prepared
> > >statement to get the id of the record that has just been inserted?
> > >
> > >I'm doing it with a select statement which uses the same parameters as the
> > >insert statement and selects "MAX(id) AS id" as the output parameter. It
> > >works, but it's easy to make an error when typing it in.
> > >
> > >Carl
> > >http://www.carl-olsen.com/
> > >
> > >_______________________________________________
> > >ciapug mailing list
> > >ciapug at cialug.org
> > >http://cialug.org/mailman/listinfo/ciapug
> >
> > _______________________________________________
> > ciapug mailing list
> > ciapug at cialug.org
> > http://cialug.org/mailman/listinfo/ciapug
> >
> >
> >
> > ------------------------------
> >
> > Message: 5
> > Date: Tue, 13 Dec 2005 08:30:38 -0600
> > From: Tim Champion <timchampion at bigfoot.com>
> > Subject: Re: [ciapug] mysqli prepared statements
> > To: ciapug at cialug.org
> > Message-ID:
> > <7aa1cdb20512130630y29c7ae55qd79b0caa54aabdc4 at mail.gmail.com>
> > Content-Type: text/plain; charset=ISO-8859-1
> >
> > Maybe I'm missing something here, but have you tried the PHP function:
> > mysql_insert_id()?
> > http://us3.php.net/mysql_insert_id
> >
> >
> > On 12/12/05, Dave J. Hala Jr. <dave at 58ghz.net> wrote:
> > > You could add a "random number" field to your table. Then generate a
> > > large random number and add to your insert. Then query for the record id
> > > that matches the random number you inserted.
> > >
> > > Like this:
> > >
> > > INSERT mytable (data,random) values ('$data',$random_number');
> > >
> > > Then
> > >
> > > SELECT id from mytable WHERE random='$random_number';
> > >
> > > Not terribly elegant -but it would work.
> > >
> > > :) Dave
> > >
> > >
> > >
> > > On Mon, 2005-12-12 at 16:12, Scott Phillips wrote:
> > > > I think the resounding silence following your question can be translated
> > > > into, "No. We don't know."
> > > >
> > > > Regarding your current approach... Do you lock the table before the insert
> > > > and unlock it after you select the max id? Otherwise, another record could
> > > > be inserted between the two and you'll end up with the wrong id. That's how
> > > > I do it, anyway. Is there a better way?
> > > >
> > > >
> > > >
> > > > At 10:26 AM 12/10/2005 -0600, you wrote:
> > > > >Does anyone know if you can use the mysqli->insert_id inside a prepared
> > > > >statement to get the id of the record that has just been inserted?
> > > > >
> > > > >I'm doing it with a select statement which uses the same parameters as the
> > > > >insert statement and selects "MAX(id) AS id" as the output parameter. It
> > > > >works, but it's easy to make an error when typing it in.
> > > > >
> > > > >Carl
> > > > >http://www.carl-olsen.com/
> > > > >
> > > > >_______________________________________________
> > > > >ciapug mailing list
> > > > >ciapug at cialug.org
> > > > >http://cialug.org/mailman/listinfo/ciapug
> > > >
> > > > _______________________________________________
> > > > ciapug mailing list
> > > > ciapug at cialug.org
> > > > http://cialug.org/mailman/listinfo/ciapug
> > > --
> > >
> > > Open Source Information Systems, Inc. (OSIS)
> > > Dave J. Hala Jr., President <dave at osis.us>
> > > 641.485.1606
> > >
> > > _______________________________________________
> > > ciapug mailing list
> > > ciapug at cialug.org
> > > http://cialug.org/mailman/listinfo/ciapug
> > >
> >
> >
> > --
> > Tim Champion
> > timchampion at bigfoot.com
> >
> >
> > ------------------------------
> >
> > Message: 6
> > Date: Tue, 13 Dec 2005 10:59:42 -0600
> > From: "Carl Olsen" <carl-olsen at mchsi.com>
> > Subject: RE: [ciapug] mysqli prepared statements
> > To: <ciapug at cialug.org>
> > Message-ID: <002e01c60006$9d7cbf80$1c00a8c0 at workstation8>
> > Content-Type: text/plain; charset="us-ascii"
> >
> > Yes. You are missing two things. The function would be mysqli_insert_id
> > (http://us3.php.net/manual/en/function.mysqli-insert-id.php), and I need to
> > use it in a prepared statement, so it would be $stmt->insert_id or something
> > like that. I haven't tried it yet, so maybe it works. I was just wondering
> > if anyone had actually used it and could tell me if it works.
> >
> > -----Original Message-----
> > From: ciapug-bounces at cialug.org [mailto:ciapug-bounces at cialug.org] On Behalf
> > Of Tim Champion
> > Sent: Tuesday, December 13, 2005 8:31 AM
> > To: ciapug at cialug.org
> > Subject: Re: [ciapug] mysqli prepared statements
> >
> > Maybe I'm missing something here, but have you tried the PHP function:
> > mysql_insert_id()?
> > http://us3.php.net/mysql_insert_id
> >
> >
> > On 12/12/05, Dave J. Hala Jr. <dave at 58ghz.net> wrote:
> > > You could add a "random number" field to your table. Then generate a
> > > large random number and add to your insert. Then query for the record id
> > > that matches the random number you inserted.
> > >
> > > Like this:
> > >
> > > INSERT mytable (data,random) values ('$data',$random_number');
> > >
> > > Then
> > >
> > > SELECT id from mytable WHERE random='$random_number';
> > >
> > > Not terribly elegant -but it would work.
> > >
> > > :) Dave
> > >
> > >
> > >
> > > On Mon, 2005-12-12 at 16:12, Scott Phillips wrote:
> > > > I think the resounding silence following your question can be translated
> > > > into, "No. We don't know."
> > > >
> > > > Regarding your current approach... Do you lock the table before the
> > insert
> > > > and unlock it after you select the max id? Otherwise, another record
> > could
> > > > be inserted between the two and you'll end up with the wrong id. That's
> > how
> > > > I do it, anyway. Is there a better way?
> > > >
> > > >
> > > >
> > > > At 10:26 AM 12/10/2005 -0600, you wrote:
> > > > >Does anyone know if you can use the mysqli->insert_id inside a prepared
> > > > >statement to get the id of the record that has just been inserted?
> > > > >
> > > > >I'm doing it with a select statement which uses the same parameters as
> > the
> > > > >insert statement and selects "MAX(id) AS id" as the output parameter.
> > It
> > > > >works, but it's easy to make an error when typing it in.
> > > > >
> > > > >Carl
> > > > >http://www.carl-olsen.com/
> > > > >
> > > > >_______________________________________________
> > > > >ciapug mailing list
> > > > >ciapug at cialug.org
> > > > >http://cialug.org/mailman/listinfo/ciapug
> > > >
> > > > _______________________________________________
> > > > ciapug mailing list
> > > > ciapug at cialug.org
> > > > http://cialug.org/mailman/listinfo/ciapug
> > > --
> > >
> > > Open Source Information Systems, Inc. (OSIS)
> > > Dave J. Hala Jr., President <dave at osis.us>
> > > 641.485.1606
> > >
> > > _______________________________________________
> > > ciapug mailing list
> > > ciapug at cialug.org
> > > http://cialug.org/mailman/listinfo/ciapug
> > >
> >
> >
> > --
> > Tim Champion
> > timchampion at bigfoot.com
> > _______________________________________________
> > ciapug mailing list
> > ciapug at cialug.org
> > http://cialug.org/mailman/listinfo/ciapug
> >
> >
> >
> > ------------------------------
> >
> > _______________________________________________
> > ciapug mailing list
> > ciapug at cialug.org
> > http://cialug.org/mailman/listinfo/ciapug
> >
> >
> > End of ciapug Digest, Vol 8, Issue 6
> > ************************************
> >
>
>
>
> ------------------------------
>
> _______________________________________________
> ciapug mailing list
> ciapug at cialug.org
> http://cialug.org/mailman/listinfo/ciapug
>
>
> End of ciapug Digest, Vol 8, Issue 7
> ************************************
>
More information about the ciapug
mailing list