Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
VinDSL
Life Cycles Becoming CPU Cycles


Joined: Jul 11, 2004
Posts: 614
Location: Arizona (USA) Admin: NukeCops.com Admin: Disipal Designs Admin: Lenon.com

PostPosted: Mon Dec 19, 2005 7:51 am Reply with quote

I've been playing around with the PHP-Nuke Feedback and Recommend Us modules for the last couple of weeks. LoL! Yeah, I know -- real exciting stuff... Dance-Stick

The reason I got involved with this is because of a recent rash of pesky PHP mailheader injections in all sorts of web apps. Basically, spammers are using the mail forms on various web site programs to send out spam, e.g. sending out their spam using your mail forms.

I haven't really heard of this happening on PHP-Nuke sites, but you can't be too careful, you know? Why risk the chance of having your web host suspend your account for spamming, et cetra?

The Feedback module wasn't too bad to work with. I added a subject field, while I was at it -- which always bugged me (that is, the lack thereof). The Recommend Us module was total garbage! I ended gutting it and using the modified Feedback module as a template.

If you want to take 'em for a spin...

Feedback: Only registered users can see links on this board! Get registered or login!

Recommend Us: Only registered users can see links on this board! Get registered or login!

The email addies are now validated for compliance with RFC2822 guidelines, checked for 'bad input', such as 'Content-Type:', 'bcc:','to:','cc:', html tags, yada, yada, yada...

Anybody interested in this sort of stuff? If so, I'll work up a distro. I haven't tried them with anything other than 6.5, but they should be a drop-in for most versions...

_________________
.:: "The further in you go, the bigger it gets!" ::.
.:: Only registered users can see links on this board! Get registered or login! | Only registered users can see links on this board! Get registered or login! ::. 
View user's profile Send private message Visit poster's website ICQ Number
montego
Site Admin


Joined: Aug 29, 2004
Posts: 9449
Location: Arizona

PostPosted: Mon Dec 19, 2005 8:21 am Reply with quote

VinDSL, security is ALWAYS a good thing. I'd be interested. I wonder if Raven would be interested in swapping out the core nuke modules with these in his RavenNuke76?

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17077

PostPosted: Mon Dec 19, 2005 9:45 am Reply with quote

Vin, I would be VERY interested in including these in my RavenNuke76. Let me know your thoughts on that and when I can have them Wink
 
View user's profile Send private message
Guardian2003
Site Admin


Joined: Aug 28, 2003
Posts: 6792
Location: Ha Noi, Viet Nam

PostPosted: Mon Dec 19, 2005 10:01 am Reply with quote

Both those area's have always been something of a concern for me so, anything that can increase security in those area's is definitely a good thing.
 
View user's profile Send private message Send e-mail
montego
PostPosted: Mon Dec 19, 2005 10:51 am Reply with quote

Guardian2003 wrote:
Both those area's have always been something of a concern for me so, anything that can increase security in those area's is definitely a good thing.


Yeah, I get from time-to-time on one of my domains a spam feedback and I keep tracking down the IP addresses and blocking them. Haven't seen one in awhile so maybe I finally "caught" the bugger... Smile
 
VinDSL
PostPosted: Mon Dec 19, 2005 9:35 pm Reply with quote

Cool!

I'm too tired to work up a distro tonight. I've been up for 29 hours, as we 'speak', but I ZIPed the index files and put them in my FTP area. Take a look, and see what you think. I patched the email validator, when I got home from work, so it's catching more addies than it was earlier today... Wink

(update below)


Last edited by VinDSL on Tue Dec 20, 2005 8:26 pm; edited 1 time in total 
Raven
PostPosted: Mon Dec 19, 2005 11:37 pm Reply with quote

Got them. Are they ready for prime time?
 
technocrat
Life Cycles Becoming CPU Cycles


Joined: Jul 07, 2005
Posts: 511

PostPosted: Tue Dec 20, 2005 12:40 pm Reply with quote

We were going to add the gfx code to them in Evo to help stem that. Might want to ponder that.

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! / Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message
VinDSL
PostPosted: Tue Dec 20, 2005 1:41 pm Reply with quote

Raven wrote:
Got them. Are they ready for prime time?

Well... I've been playing around with them for a couple of weeks. I've done a lot of (casual) research on email injections, trying to figure out how spammers are 'bouncing' mails off PHP mail forms and studying the countermeasures that ppl are employing. There is a LOT of information about email injections on the web because everyone is basically using the same code -- regardless of the app. I finally got these modules to the point where I'm happy enough with the results to offer them up for public prevue.

You were asking, in another thread, what ppl would like to see in future releases of RavenNuke76. My suggestion was adding security measures to the Feedback & Recommend Us forms.

LoL! Then I started thinking... I'm still running PHP-Nuke 6.5 Final... So, I decided to 'roll my own', so to speak.

Personally, I'm confident enough to run them as-is on my production site. So, yes, I would say they're ready for prime time. However, I'm sure that I will add more to them, such as the 'gfx code' technocrat mentioned above. I think that's an excellent idea!!! And, that's exactly the kind of comment[s] I was soliciting!

Put another way, I would say they're ready for prime time, but not a finished product, as with all things Nuke... Smile
 
VinDSL
PostPosted: Tue Dec 20, 2005 1:41 pm Reply with quote

technocrat wrote:
We were going to add the gfx code to them in Evo to help stem that. Might want to ponder that.

Yes! Excellent idea! Thanks! Wink
 
technocrat
PostPosted: Tue Dec 20, 2005 1:49 pm Reply with quote

NP, that's why I am here Smile
 
VinDSL
PostPosted: Tue Dec 20, 2005 10:34 pm Reply with quote

Here's a 'nightly' for you, if you will... Wink
Only registered users can see links on this board! Get registered or login!

I cleaned up the code, turned the forms into a function, '\n' & \r' are now detected with magic quotes enabled, and made it so bad input is wiped from the field[s] on refresh, et cetera...

Edit: I've spent an hour throwing everything I could think of at these modules, Raven, and they just flat work. With the exception of doing a graphic check in the future, I think it's a wrap.

The only thing I'm worried about, doing the gfx_check thing, is creating some sort of incompatibility between different versions of Nuke. Maybe the best way would be to do a proprietary check, like a subset of Fetch, or whatever. Hrm... gonna have to think about that for a while!

Anyway, I think the holes are plugged in Feedback & Recommend Us. Heh! A (non-Nuker) buddy of mine has been trying to bust them all day, and he's a pretty smart, albeit devious, cookie!
 
technocrat
PostPosted: Wed Dec 21, 2005 9:10 am Reply with quote

You could check for the functions, if not there do it yourself. Even a simple random alphanumeric string with no gfx should slow them down some.

Here is final sinpet of the email validation regex you might find useful
Code:
    define('REGEXP_EMAIL_QTEXT', '[^\\x0d\\x22\\x5c\\x80-\\xff]');

    define('REGEXP_EMAIL_DTEXT', '[^\\x0d\\x5b-\\x5d\\x80-\\xff]');
    define('REGEXP_EMAIL_ATOM', '[^\\x00-\\x20\\x22\\x28\\x29\\x2c\\x2e\\x3a-\\x3c'.'\\x3e\\x40\\x5b-\\x5d\\x7f-\\xff]+');
    define('REGEXP_EMAIL_QUOTED_PAIR', '\\x5c[\\x00-\\x7f]');
    define('REGEXP_EMAIL_DOMAIN_LITERAL', "\\x5b(".REGEXP_EMAIL_DTEXT."|".REGEXP_EMAIL_QUOTED_PAIR.")*\\x5d");
    define('REGEXP_EMAIL_QUOTED_STRING',  "\\x22(".REGEXP_EMAIL_QTEXT."|".REGEXP_EMAIL_QUOTED_PAIR.")*\\x22");
    define('REGEXP_EMAIL_SUBDOMAIN', "(".REGEXP_EMAIL_ATOM."|".REGEXP_EMAIL_DOMAIN_LITERAL.")");
    define('REGEXP_EMAIL_WORD', "(".REGEXP_EMAIL_ATOM."|".REGEXP_EMAIL_QUOTED_STRING.")");
    define('REGEXP_EMAIL_DOMAIN', REGEXP_EMAIL_SUBDOMAIN."(\\x2e".REGEXP_EMAIL_SUBDOMAIN.")*");
    define('REGEXP_EMAIL_LOCAL_PART', REGEXP_EMAIL_WORD."(\\x2e".REGEXP_EMAIL_WORD.")*");
    define('REGEXP_EMAIL', "!^".REGEXP_EMAIL_LOCAL_PART."\\x40".REGEXP_EMAIL_DOMAIN."$!");

if(!preg_match(REGEXP_EMAIL,$email)) {
  die();
}


It will validate all email addresses against RFC822 standards
 
Raven
PostPosted: Wed Dec 21, 2005 9:39 am Reply with quote

Can we get this resolved quickly guys? I really want to include this stuff in v2.0.0 of RavenNuke76. Thanks!
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©