[nycphp-talk] worm/virus's hammering feedback scripts?
Daniel Krook
krook at us.ibm.com
Mon Sep 12 09:32:02 EDT 2005
> It's a particularly ingenuous method of taking advantage
> of primarily the MIME standard. I typically look for the
> string 'Content-Type:' in any submitted fields, and if
> it's found, the script records the IP and notifies me.
This is important, I found injections in ALL my fields, not just the
obvious textarea fields. Hidden and regular text boxes have been used as
well, since this attack is automated and doesn't function as a normal
browser would.
> Since it's my understanding that the exploitation can't
> happen without the use of Content-Type: (the MIME header
> that dictates part of a message's structure), something
> like this has worked well:
>
> foreach( $form_fields as $value )
> {
> if( stripos($value,'Content-Type:') !== FALSE )
> {
> mail('admin at my.com','Spam Attempt',$_SERVER['REMOTE_ADDR']);
> exit("{$_SERVER['REMOTE_ADDR']} Has been Recorded");
> }
> }
>
A PHP4 version of the above looks something like this, and seems to work:
if (strpos(strtolower($someField), 'content-type:') !== false) {
mail('admin at example.net', 'Spam attempt from example.net',
$_SERVER['REMOTE_ADDR']);
} else {
mail('customerservice at example.net', 'Customer submission from
example.net', $msg, $headers);
}
> Of course complete input filtering might be the better
> solution to this.
Agreed.
Daniel Krook, Advisory IT Specialist
Application Development, Production Services - Tools, ibm.com
Personal: http://info.krook.org/
BluePages: http://bluepages.redirect.webahead.ibm.com/
BlogPages: http://blogpages.redirect.webahead.ibm.com/
More information about the talk
mailing list