[ADDRESSED] Contact Form Security - Sql injection & Spam Bots

[Geraint]

Here's a fix to be considered

in contact.php c. line 360 change the code to read:

Code: Select all

	mosMail( $email, $name , $contact[0]->email_to, $mosConfig_fromname .': '. $subject, $text );

	// Adds parameter handling
	$params = new mosParameters( $contact[0]->params );
	$doublecheckEmailCopy = $params->get('email_copy');	
	
	if ( $email_copy && $doublecheckEmailCopy) {
		$copy_text = sprintf( _COPY_TEXT, $contact[0]->name, $mosConfig_sitename );
		$copy_text = $copy_text ."\n\n". $text .'';

This forced the contact paramaters to be checked so that if you say no copy to sender it really means no copy to sender regardless of where the POST comes from.

Does this help?

Geraint

[vanwel]

I think my problem is a little more complicated.

I'm using Hot Property and with every property page, there is a sendenquiry form. This form is sent by HP, but you can configure it to use mosmail. That's why I thought changing it to mosmail and then fixing the Joomla form could do the job. But I don't understand that whole copy to sender thing.
It'll probably do nothing in my case. Hopefully it is helpful for the others.

I'll just paste a 'little bit' of code from my situation. If you have time and knowledge and want to help, thanks! If not, I understand. I already tried on the HP forum (forum.mosets.com), but I'm not really getting any answers. Someone showed me this topic.

function sendEnquiry() {
global $database, $Itemid, $mosConfig_live_site, $mosConfig_sef, $option;;

$id = intval( mosGetParam( $_REQUEST, 'id', 0 ) );
$sbj = trim( strtolower( mosGetParam( $_POST, 'sbj', '' ) ) );

# Redirect to main listing if property/agent is invalid or not unpublish
if ($id == 0) mosRedirect(sefRelToAbs('index.php?option=com_hotproperty&Itemid='.$Itemid));
if (empty($sbj)) mosRedirect(sefRelToAbs('index.php?option=com_hotproperty&Itemid='.$Itemid));

if ($sbj == "property") {
if (!HP_isPropPublished($id)) mosRedirect(sefRelToAbs('index.php?option=com_hotproperty&Itemid='.$Itemid));
} elseif ($sbj == "agent") {
$database->setQuery("SELECT id FROM #__hp_agents WHERE id='".$id."' LIMIT 1");
$agentid = $database->loadResult();
if ( empty($agentid) ) {
mosRedirect(sefRelToAbs('index.php?option=com_hotproperty&Itemid='.$Itemid));
}
} elseif ($sbj == "company") {
$database->setQuery("SELECT id FROM #__hp_companies WHERE id='".$id."' LIMIT 1");
$companyid = $database->loadResult();
if ( empty($companyid) ) {
mosRedirect(sefRelToAbs('index.php?option=com_hotproperty&Itemid='.$Itemid));
}
}

# Assign form's value
$hp_email = trim( mosGetParam( $_POST, 'hp_email', '' ) );
$hp_contactnumber = trim( mosGetParam( $_POST, 'hp_contactnumber', '' ) );
$hp_name = trim( mosGetParam( $_POST, 'hp_name', '' ) );
$hp_enquiry = trim( mosGetParam( $_POST, 'hp_enquiry', '' ) );

# Validate form's data
if (!$hp_name || !$hp_enquiry){
echo "alert (\""._HP_CONTACT_ERR_COMPLETE."\"); window.history.go(-1);";
exit(0);
}
if (!$hp_email && !$hp_contactnumber){
echo "alert (\""._HP_CONTACT_ERR_ONECONTACT."\"); window.history.go(-1);";
exit(0);
}
if ($hp_email && !is_email($hp_email)) {
echo "alert (\""._HP_CONTACT_ERR_VALIDEMAIL."\"); window.history.go(-1);";
exit(0);
}

# Get agent's email & name, Property's title
if ($sbj == "property") {
$sql = "SELECT a.name AS name, a.email AS email, p.name AS propTitle FROM #__hp_properties AS p"
. "\nLEFT JOIN #__hp_agents AS a ON a.id=p.agent"
. "\nWHERE p.id='".$id."'";
} elseif ($sbj == "agent") {
$sql = "SELECT a.name AS name, a.email AS email FROM #__hp_agents AS a"
. "\nWHERE a.id='".$id."'";
} elseif ($sbj == "company") {
$sql = "SELECT c.name AS name, c.email AS email FROM #__hp_companies AS c"
. "\nWHERE c.id='".$id."'";
}
$database->setQuery($sql);
$database->loadObject($agent);

$email_to = $agent->email;

# Construct the email
$text  = ""._HP_CONTACT_ENQUIRY_TEXT.$hp_name;
$text .= "\n"._CMN_EMAIL.": ". $hp_email . "\n"._HP_CONTACTNUMBER.": ".$hp_contactnumber."\r\n".stripslashes($hp_enquiry);
if ($sbj == "property") {
$text .= "\n\n"._HP_CONTACT_ENQUIRY_TEXT2;
$text .= "\n\n\t";

if ($mosConfig_sef) {
$url = sefRelToAbs("index.php?option=com_hotproperty&task=view&id=$id");
} else {
// Get Itemid
$database->setQuery("SELECT id FROM #__menu WHERE link='index.php?option=$option'");
$Itemid = $database->loadResult();
$url = $mosConfig_live_site .'/'. "index.php?option=com_hotproperty&task=view&id=$id&Itemid=$Itemid";
}

$text .= $url;
}
if ($sbj == "property") $subject = _HP_CONTACT_ENQUIRY_SUBJECTP.$agent->propTitle;
elseif ($sbj == "agent") $subject = _HP_CONTACT_ENQUIRY_SUBJECTA;
elseif ($sbj == "company") $subject = _HP_CONTACT_ENQUIRY_SUBJECTC;

    $headers .= "From: ".$hp_name." \r\n";
    $headers .= "Reply-To: \r\n";
    $headers .= "X-Priority: 3\r\n";
    $headers .= "X-MSMail-Priority: Low\r\n";
    $headers .= "X-Mailer: Hot Property\r\n";
   
    # Send the email
    @mail($email_to, $subject, $text, $headers);

mosMail($hp_email,$hp_name,$email_to,$subject,$text);

if ($sbj == "property") { ?>
alert(""); document.location.href='';

alert(""); document.location.href='';

alert(""); document.location.href='';
<?php }

}

[vanwel]

By the way, you can see this form in action on http://www.bogtrader.nl/BOG/Type/Bedrij ... acker/431/

[louis.landry]

As to fixing the contact form, try adding this code to contact.php directly under the global variable declarations of the sendmail() function

Code: Select all

	// First, make sure the form was posted from a browser.
	// For basic web-forms, we don't care about anything
	// other than requests from a browser:   
	if(!isset($_SERVER['HTTP_USER_AGENT'])){
	   header("HTTP/1.0 403 Forbidden");
	   die("Forbidden - You are not authorized to view this page");
	   exit;
	}
	
	// Make sure the form was indeed POST'ed:
	//  (requires your html form to use: action="post")
	if(!$_SERVER['REQUEST_METHOD'] == "POST"){
	   header("HTTP/1.0 403 Forbidden");
	   die("Forbidden - You are not authorized to view this page");
	   exit;   
	}

	// Attempt to defend against header injections:
	$badStrings = array("Content-Type:",
	                     "MIME-Version:",
	                     "Content-Transfer-Encoding:",
	                     "bcc:",
	                     "cc:");
	
	// Loop through each POST'ed value and test if it contains
	// one of the $badStrings:
	foreach($_POST as $k => $v){
	   foreach($badStrings as $v2){
	       if(strpos($v, $v2) !== false){
	           header("HTTP/1.0 403 Forbidden");
			   die("Forbidden - You are not authorized to view this page");
	       }
	   }
	}   
	
	// Made it past spammer test, free up some memory
	// and continue rest of script:   
	unset($k, $v, $v2, $badStrings);

This code could also concievably be inserted at the beginning of the Hot Property function as well

Louis

[vanwel]

Nice, thanks for the work!
Ehm.... could you tell me exactly where to put it? I'm still a beginner 

[louis.landry]

in the file: /components/com_contact/contact.php
my version of the file it is around line 340

you see:

Code: Select all

function sendmail( $con_id, $option ) {
	global $database, $Itemid;
	global $mosConfig_sitename, $mosConfig_live_site, $mosConfig_mailfrom, $mosConfig_fromname;

insert:

Code: Select all

	// First, make sure the form was posted from a browser.
	// For basic web-forms, we don't care about anything
	// other than requests from a browser:   
	if(!isset($_SERVER['HTTP_USER_AGENT'])){
	   header("HTTP/1.0 403 Forbidden");
	   die("Forbidden - You are not authorized to view this page");
	   exit;
	}
	
	// Make sure the form was indeed POST'ed:
	//  (requires your html form to use: action="post")
	if(!$_SERVER['REQUEST_METHOD'] == "POST"){
	   header("HTTP/1.0 403 Forbidden");
	   die("Forbidden - You are not authorized to view this page");
	   exit;   
	}

	// Attempt to defend against header injections:
	$badStrings = array("Content-Type:",
	                     "MIME-Version:",
	                     "Content-Transfer-Encoding:",
	                     "bcc:",
	                     "cc:");
	
	// Loop through each POST'ed value and test if it contains
	// one of the $badStrings:
	foreach($_POST as $k => $v){
	   foreach($badStrings as $v2){
	       if(strpos($v, $v2) !== false){
	           header("HTTP/1.0 403 Forbidden");
			   die("Forbidden - You are not authorized to view this page");
	       }
	   }
	}   
	
	// Made it past spammer test, free up some memory
	// and continue rest of script:   
	unset($k, $v, $v2, $badStrings);

Directly under that. 

also, on the hotproperty function, i found one thing at a quick glance that might also help (though there is no reason to think that adding this code will not work with it

change this:

Code: Select all

    $headers .= "From: ".$hp_name." <".$hp_email.">\r\n";
    $headers .= "Reply-To: <".$hp_email.">\r\n";
    $headers .= "X-Priority: 3\r\n";
    $headers .= "X-MSMail-Priority: Low\r\n";
    $headers .= "X-Mailer: Hot Property\r\n";

to:

Code: Select all

    $headers .= "From: ".$hp_name." <".$hp_email.">\r\n";
    $headers .= "Reply-To: <".$hp_email.">\r\n";
    $headers .= "X-Priority: 3\r\n";
    $headers .= "X-MSMail-Priority: Low\r\n";
    $headers .= "X-Mailer: Hot Property\r\n\r\n";

Adding the second \r\n at the end of the headers indicates the end of the header section.  This should stop the mail function from being fooled into adding header information that was injected into the body section to the mail headers

Louis

[Geraint]

@vanwel

My fix was intended to stop the Joomla contact form from being used to send spook emails by spambots putting in target email addresses and posting a 3rd party location to get around the email_copy field being unavilable on the form, as per ausmug and deejayh's problem.

@webImagery

Its quite easy to create a spoof useragent and the post needn't come from the server it says its coming from (you can easily create an agent that changes the referrer field).  Admittedly it takes  bit of thinking but it can be done.

Geraint

[louis.landry]

I agree, but that doesn't mean that a quick conditional statement shouldn't be checked.  I didn't claim that this was the end-all solution, but it also checks for injected headers which is where my main concerns are. 

Louis

[vanwel]

Ok, I just did those two fixes. I sure hope it'll work. Will keep you posted, thanks for the effort.

[Nic]

Can we add something to the form that will refuse to send it if various "banned" words are used - ie: if POKER was typed in by someone the form would be refused?

Can some developer have a look at this for us please. I am hearing more and more people complaining about Joomla forms being suspect. I have had my host warn me, so I have had to take any sort of contact form down!

Help!!
Dave

As stated above word filters are not a very good protection as they can be easily overcome by 'cloaking' the words, but it might very well help to block a lot of the attacks (if they really almost all contain *poker* somewhere in their mail-address), so maybe this adds at least some additional protection:

Code: Select all

	// Prevent form submission if one of the banned words is found in the submitted E-mail-address

	$badWords = array ( "poker", "p0ker", "acroduke" );   // <--- add more "forbidden" words here

	foreach ($badWords as $value) {
		if ( stristr($email, $value) ) {
			header("HTTP/1.0 403 Forbidden");
			die("Forbidden - You are not authorized to view this page");
		}
	}

To add it to the script of Louis I'd suggest to put it right above:

Code: Select all

	// Made it past spammer test, free up some memory

To add it "stand-alone" search the file /components/com_contact/contact.php for the line

Code: Select all

$prefix = sprintf( _ENQUIRY_TEXT, $mosConfig_live_site );

and put it right above that line.

This filter is case-insensitive and will find ANY occurence of the forbidden words. E.g. "lame@somePoKeRspam" would be found.

Hope this helps.

Nic

[deejayh]

Hi Nic & WebImagery,

I have put your (very welcomed) scripts into contact.php - But when I go to the contact page - it says "You are not authorized to view this resource. " Even when I am logged in??

Any help please!
Thanks

Heres the code together:

contact.php code ..............
function sendmail( $con_id, $option ) {
global $database, $Itemid;
global $mosConfig_sitename, $mosConfig_live_site, $mosConfig_mailfrom, $mosConfig_fromname;

// ADDED DECEMBER 2005 - To STOP SPAM
// First, make sure the form was posted from a browser.
// For basic web-forms, we don't care about anything
// other than requests from a browser: 
if(!isset($_SERVER['HTTP_USER_AGENT'])){
  header("HTTP/1.0 403 Forbidden");
  die("Forbidden - You are not authorized to view this page");
  exit;
}

// Make sure the form was indeed POST'ed:
//  (requires your html form to use: action="post")
if(!$_SERVER['REQUEST_METHOD'] == "POST"){
  header("HTTP/1.0 403 Forbidden");
  die("Forbidden - You are not authorized to view this page");
  exit; 
}

// Attempt to defend against header injections:
$badStrings = array("Content-Type:",
                    "MIME-Version:",
                    "Content-Transfer-Encoding:",
                    "bcc:",
                    "cc:");

// Loop through each POST'ed value and test if it contains
// one of the $badStrings:
foreach($_POST as $k => $v){
  foreach($badStrings as $v2){
      if(strpos($v, $v2) !== false){
          header("HTTP/1.0 403 Forbidden");
  die("Forbidden - You are not authorized to view this page");
      }
  }
} 
// Prevent form submission if one of the banned words is found in the submitted E-mail-address

$badWords = array ( "poker", "p0ker", "acroduke" );  // <--- add more "forbidden" words here

foreach ($badWords as $value) {
if ( stristr($email, $value) ) {
header("HTTP/1.0 403 Forbidden");
die("Forbidden - You are not authorized to view this page");
}
}

// Made it past spammer test, free up some memory
// and continue rest of script: 
unset($k, $v, $v2, $badStrings);
// **** FINISH of ANTI SPAM CODE ******
Contact.php continues ........

[deejayh]

Update.

I have took Nic code out

// Prevent form submission if one of the banned words is found in the submitted E-mail-address

$badWords = array ( "poker", "p0ker", "acroduke" );  // <--- add more "forbidden" words here

foreach ($badWords as $value) {
if ( stristr($email, $value) ) {
header("HTTP/1.0 403 Forbidden");
die("Forbidden - You are not authorized to view this page");
}
}

But still cannot get the form - "You are not authorized to view this resource. "

[deejayh]

Update.

I have took Nic code out

// Prevent form submission if one of the banned words is found in the submitted E-mail-address

$badWords = array ( "poker", "p0ker", "acroduke" );   // <--- add more "forbidden" words here

foreach ($badWords as $value) {
if ( stristr($email, $value) ) {
header("HTTP/1.0 403 Forbidden");
die("Forbidden - You are not authorized to view this page");
}
}

But still cannot get the form - "You are not authorized to view this resource. "
[/quote] So it must be the original code from WebImagery!!

[Nic]

To find the bug do the following:

You see all those "die("Forbidden - You are not authorized to view this page");" messages? Put a number in front of them like

die("1 Forbidden - You are not authorized to view this page");
die("2 Forbidden - You are not authorized to view this page");
die("3 Forbidden - You are not authorized to view this page");
etc.

That way you will see exactly what condition is the problem...

[deejayh]

hi Nic,

Still comes up with "You are not authorized to view this resource. "
As the contact.php phrases all say "Forbidden - You are not authorized to view this page" it must come from somewhere else?
Dave

[Nic]

hi Nic,

Still comes up with "You are not authorized to view this resource. "
As the contact.php phrases all say "Forbidden - You are not authorized to view this page" it must come from somewhere else?
Dave

Try the following, remove all alterations and revert back to the original file. See if it works. If it does try to insert the code I posted. If it still works try inserting the checks of Louis one by one untill it stops working.

Nic

[deejayh]

Ok I will try that Nic.
Thanks,

Be back shortly!

Dave

[deejayh]

Well I don't really know what happened! But - I used original contact.php and it still would not work!

So I went into admin - component - contact and as I had the main contact Not Published (took off previously because of spam), I published again - Worked. ftp new modded contact.php - Worked!

So I shall see if it works, I will let you all know.

Thanks again,

Dave

[deejayh]

Nic I sent an email to my self with Poker in a few places.

Still went through and thanked me for the email.

I recieved it in my mail!!
Any thoughts please,
Regards,
Dave

From: pokerman
Date: 12/02/05 18:19:43
To: [email protected]
Subject: comments: poker

 
This is an enquiry e-mail via http://www.site.com from:
pokerman

poker

[Nic]

Nic I sent an email to my self with Poker in a few places.

Still went through and thanked me for the email.

I recieved it in my mail!!
Any thoughts please,
Regards,
Dave

From: pokerman
Date: 12/02/05 18:19:43
To: [email protected]
Subject: comments: poker

 
This is an enquiry e-mail via http://www.site.com from:
pokerman

poker

My script only checks the EMAIL field. It does not test any of the other fields (would not be a problem though if you want that).

As I posted above it needs to be AFTER the " $email = mosGetParam( $_POST, 'email', '' );" line. Therefore make sure its is BELOW this portion of function sendmail:

Code: Select all

	$default 	= $mosConfig_sitename.' '. _ENQUIRY;
	$email 		= mosGetParam( $_POST, 'email', '' );
	$text 		= mosGetParam( $_POST, 'text', '' );
	$name 		= mosGetParam( $_POST, 'name', '' );
	$subject 	= mosGetParam( $_POST, 'subject', $default );
	$email_copy = mosGetParam( $_POST, 'email_copy', 0 );

I tested it like this and it works just fine:

Code: Select all

function sendmail( $con_id, $option ) {
	global $database, $Itemid;
	global $mosConfig_sitename, $mosConfig_live_site, $mosConfig_mailfrom, $mosConfig_fromname;

	$query = "SELECT *"
	. "\n FROM #__contact_details"
	. "\n WHERE id = $con_id"
	;
	$database->setQuery( $query );
	$contact 	= $database->loadObjectList();

	$default 	= $mosConfig_sitename.' '. _ENQUIRY;
	$email 		= mosGetParam( $_POST, 'email', '' );
	$text 		= mosGetParam( $_POST, 'text', '' );
	$name 		= mosGetParam( $_POST, 'name', '' );
	$subject 	= mosGetParam( $_POST, 'subject', $default );
	$email_copy = mosGetParam( $_POST, 'email_copy', 0 );

	if ( !$email || !$text || ( is_email( $email )==false ) ) {
		mosErrorAlert( _CONTACT_FORM_NC );
	}

	// Prevent form submission if one of the banned words is found in the submitted E-mail-address

	$badWords = array ( "poker", "p0ker", "acroduke" );   // <--- add more "forbidden" words here

	foreach ($badWords as $value) {
		if ( stristr($email, $value) ) {
			header("HTTP/1.0 403 Forbidden");
			die("Forbidden - You are not authorized to view this page");
		}
	}
...

Nic

[deejayh]

Hi Nic,

Did your update to the contact.php. many thanks.
When you try to enter poker it accepts and goes to a blank page, where it says:

Contact
   
Site .co. com   (3)

Please make a selection to contact us:

1) Webmaster of Site

2) Reporting "Bounced Mails" from "Wanted Names" system

3) Contacting Sales

Thank you.

[ Back ]
Forbidden - You are not authorized to view this page

As you can see I have 3 contacts.
The address of the page comes up as:
http://www.site....com/component/option,com_contact/Itemid,103/

It does seem to work, as I have recieved no email - but I would like to actually have it say "Sorry you are not allowed to use those words" or something to that effect - inside my site template!
If I go to http://www.site....com/component/option,com_contact/Itemid,103/ the page comes up within my template lovely!!
Hopefully I have explained it correctly.

Thanks a lot,
Dave

[mbrando]

Hi,

Joomla Ver. 1.03

If you are all still having trouble you can try this code:

//START modified by [email protected] 12/07/2005
// email injection clean up.

$bad = array(";",",","\n","\r","\0");
$good = "?";
$email = str_replace($bad,$good,$email);
$subject = str_replace($bad,$good,$subject);
$email_copy = str_replace($bad,$good,$email_copy);

//END modified by [email protected] 12/07/2005

Add to components/com_contact/contact.php after line 349 and before this code:

if ( !$email || !$text || ( is_email( $email )==false ) ) {

It will strip out the delimiters for more than one email address.

Also add this code:

//START modified by [email protected] 12/07/2005
// email injection clean up.

$bad = array(";",",","\n","\r","\0");
$good = "?";
$email         = str_replace($bad,$good,$email);
$yourname     = str_replace($bad,$good,$yourname);
$youremail     = str_replace($bad,$good,$youremail);
$subject_default = str_replace($bad,$good,$subject_default);
$subject            = str_replace($bad,$good,$subject);

//END modified by [email protected] 12/07/2005

to components/com_content/content.php after line 1552 and before this code:

if ($uid < 1 || !$email || !$youremail || ( is_email( $email ) == false ) || (is_email( $youremail ) == false)) {

This fixes the email page link to a friend code.

Now this only addresses one connection with many addresses like this: ad, ad, ad, ad, ad, either via a script or manual copy paste. It does not address a scripted attack with one email per connection. Any idea how to deal with that?

Mike

[britannia]

Well guys I must say that the amount of Spam has been cut down drastically now! I get worried thatthe contact form is not working - it is!

I have not seen any attempts at any sql injection either

There is one or two problems to iron out.

With the previous postings of code I am sure we can tie up a working code for everyone to use.

Maybe someone from the dev team can look at this and integrate into joomla.

I am still having problems with when someone enters a "banned" word, which send them to a blank page - though I have not tried  mbrando fix as yet. Regarding this, it would be nice to have an option in the backend to add various "banned" words - sure it could be done!! 

Regards,
Dave

[vanwel]

I implemented the two suggestions into Hot Property and my spam is also gone.

Good job!

[cmyksteve]

I implemented the two suggestions into Hot Property and my spam is also gone.

Good job!

vanwell-

That's good to hear. Please share this with dknight.

[KenCa]

I am using 1.0.4 and the line numbers are a bit different.

In Contact.php..  it is after line 357

In content.php..It is after line 1589

1.0.4 Content.php also includes the following check:

$validate = mosGetParam( $_POST, mosHash( 'validate' ), 0 );
if (!$validate) {
// probably a spoofing attack
echo _NOT_AUTH;
return;
}

[mbrando]

Hi,

Sorry, I should have posted I'm using 1.03

Mike

[absalom]

I've implemented both Nic and Mike's (mbrando) solutions and confirmed they work in 1.0.4.

They also seem to be backward compatible all the way to 4.5 1.0.9 

[jeffro77]

In the admin I switched off the option to send a copy of the email hoping that would help.

Where in the admin panel is this toggle?

[Nic]

In the admin I switched off the option to send a copy of the email hoping that would help.

Where in the admin panel is this toggle?

Go to admin backend > Components > Contacts > Manage Contacts. There click on the contact you want to edit and in the "Parameters" tab you'll find a "Email Copy" option.

Hope this helps.

Nic