0

I am having trouble with two forms on a website. The pages hosting the forms have been taken down several times by my host due to 'phishing attacks'.

The forms on the pages where constructed using 'PHPFormGenerator' which is software provided by the hosting company (iPage).

I have made sure I am usign the latest version of 'PHPFormGenerator' as recomended, but again the pages where taken down. I installed a 'Captcha' on the forms but again the pages have been taken down.

I have currently removed the forms from the pages and replaced them with email links.

Code on Booking form page:

   <div class="formRow">
      <div class="formLeft">Name<span class="red">*</span></div>
      <div class="formRight">
        <input type=text name='Name' size=40>
      </div>
    </div>
    <div class="formRow">
      <div class="formLeft">Telephone<span class="red">*</span></div>
      <div class="formRight">
        <input type=text name='Telephone' size=40>
      </div>
    </div>
    <div class="formRow">
      <div class="formLeft">Email<span class="red">*</span></div>
      <div class="formRight">
        <input type=text name='Email' size=40>
      </div>
    </div>
    <div class="formRow">
      <div class="formLeft">Address1<span class="red">*</span></div>
      <div class="formRight">
        <input type=text name='Address1' size=40>
      </div>
    </div>
    <div class="formRow">
      <div class="formLeft">Address2<span class="red">*</span></div>
      <div class="formRight">
        <input type=text name='Address2' size=40>
      </div>
    </div>
    <div class="formRow">
      <div class="formLeft">Address3</div>
      <div class="formRight">
        <input type=text name='Address3' size=40>
      </div>
    </div>
    <div class="formRow">
      <div class="formLeft">Address4</div>
      <div class="formRight">
        <input type=text name='Address4' size=40>
      </div>
    </div>
    <div class="formRow">
      <div class="formLeft">Zip / Post code<span class="red">*</span></div>
      <div class="formRight">
        <input type=text name='PostCode' size=40>
      </div>
    </div>
    <div class="formRow">
      <div class="formLeft">Arrival<span class="red">*</span></div>
      <div class="formRight">
        <input type=text name='Arrival' size=15 id="datepicker">
      </div>
    </div>
    <div class="formRow">
      <div class="formLeft">Departure<span class="red">*</span></div>
      <div class="formRight">
        <input type=text name='Departure' size=15 id="datepicker2">
      </div>
    </div>
    <div class="formRow">
      <div class="formLeft">GroupNumber<span class="red">*</span></div>
      <div class="formRight">
        <select name='GroupNumber'>
          <option value='01'>01</option>
          <option value='02'>02</option>
          <option value='03'>03</option>
          <option value='04'>04</option>
          <option value='05'>05</option>
          <option value='06'>06</option>
        </select>
      </div>
    </div>
    <div class="formRow">
      <div class="formLeft">Reason</div>
      <div class="formRight">
        <select name='Reason'>
          <option value='Vacation'>Vacation</option>
          <option value='Business'>Business</option>
          <option value='Education'>Education</option>
          <option value='Other'>Other</option>
        </select>
      </div>
    </div>
    <div class="formRow">
      <div class="formLeft">Transfer</div>
      <div class="formRight">
        <input type=checkbox name='Transfer'>
      </div>
    </div>
    <div class="formRow">
      <div class="formLeft">CarRental</div>
      <div class="formRight">
        <input type=checkbox name='CarRental'>
      </div>
    </div>
    <div class="formRow">
      <div class="formLeft">Taxi</div>
      <div class="formRight">
        <input type=checkbox name='Taxi'>
      </div>
    </div>
    <div class="formRow">
      <div class="formLeft">Additional</div>
      <div class="formRightBox">
        <textarea name='Additional' rows=7 cols=31></textarea>
      </div>
    </div>
    <div class="formRow">
                 <div class="formLeft"> </div>
                    <div class="formRightCaptcha">
                         <?php
                              require_once('recaptchalib.php');
                              $publickey = "6LfgGOASAAAAAOQ-oVZNlo8HmxR4GadyY4h5c0hY"; // you got this from the signup page
                              echo recaptcha_get_html($publickey);
                            ?>
                    </div>
    </div>
    <div class="formRow">
      <div class="formLeft"> </div>
      <div class="formRight">
        <input type=submit value='Submit Form'>
        &nbsp;
        <input type=reset value='Reset Form'>
      </div>
    </div>
  </div>

Verify.php

    <?php
  require_once('recaptchalib.php');
  $privatekey = "***PRIVATEKEYREMOVED***";
  $resp = recaptcha_check_answer ($privatekey,
                                $_SERVER["REMOTE_ADDR"],
                                $_POST["recaptcha_challenge_field"],
                                $_POST["recaptcha_response_field"]);

  if (!$resp->is_valid) {
    // What happens when the CAPTCHA was entered incorrectly
    die ("The reCAPTCHA wasn't entered correctly. Go back and try it again." .
         "(reCAPTCHA said: " . $resp->error . ")");
  } else {
    // Your code here to handle a successful verification
    include("global.inc.php");
$errors=0;
$error="The following errors occured while processing your form input.<ul>";
pt_register('POST','Name');
pt_register('POST','Telephone');
pt_register('POST','Email');
pt_register('POST','Address1');
pt_register('POST','Address2');
pt_register('POST','Address3');
pt_register('POST','Address4');
pt_register('POST','PostCode');
pt_register('POST','Arrival');
pt_register('POST','Departure');
pt_register('POST','GroupNumber');
pt_register('POST','Reason');
pt_register('POST','Transfer');
pt_register('POST','CarRental');
pt_register('POST','Taxi');
pt_register('POST','Additional');
$Additional=preg_replace("/(\015\012)|(\015)|(\012)/","&nbsp;<br />", $Additional);if($Name=="" || $Telephone=="" || $Email=="" || $Address1=="" || $Address2=="" || $PostCode=="" || $Arrival=="" || $Departure=="" || $GroupNumber=="" ){
$errors=1;
$error.="<li>You did not enter one or more of the required fields. Please go back and try again.";
}
if(!eregi("^[a-z0-9]+([_\\.-][a-z0-9]+)*" ."@"."([a-z0-9]+([\.-][a-z0-9]+)*)+"."\\.[a-z]{2,}"."$",$Email)){
$error.="<li>Invalid email address entered";
$errors=1;
}
if($errors==1) echo $error;
else{
$where_form_is="http".($HTTP_SERVER_VARS["HTTPS"]=="on"?"s":"")."://".$SERVER_NAME.strrev(strstr(strrev($PHP_SELF),"/"));
$message="A booking enquiry has been made by ".$Name."

Telephone: ".$Telephone."

Email: ".$Email."

Address1: ".$Address1."

Address2: ".$Address2."

Address3: ".$Address3."

Address4: ".$Address4."

PostCode: ".$PostCode."

Arrival: ".$Arrival."

Departure: ".$Departure."

GroupNumber: ".$GroupNumber."

Reason: ".$Reason."

Transfer: ".$Transfer."

CarRental: ".$CarRental."

Taxi: ".$Taxi."

Additional: ".$Additional."
";
$message = stripslashes($message);

$subject = 'Louis Villa booking enquiry';
$headers = 'From:' .$Name. ' made a booking enquiry' . "\r\n" . // <- change your email here
        'Reply-To:' . $Email . "\r\n";

mail("info@louisvilla.com",$subject,$message,$headers);

header("Location:http://louisvilla.com/thankyou.html");
exit();
}
  }
?>

Global.inc.php

<?php

function pt_register()
{
  $num_args = func_num_args();
   $vars = array();

   if ($num_args >= 2) {
       $method = strtoupper(func_get_arg(0));

       if (($method != 'SESSION') && ($method != 'GET') && ($method != 'POST') && ($method != 'SERVER') && ($method != 'COOKIE') && ($method != 'ENV')) {
           die('The first argument of pt_register must be one of the following: GET, POST, SESSION, SERVER, COOKIE, or ENV');
     }

       $varname = "HTTP_{$method}_VARS";
      global ${$varname};

       for ($i = 1; $i < $num_args; $i++) {
           $parameter = func_get_arg($i);

           if (isset(${$varname}[$parameter])) {
               global $$parameter;
               $$parameter = ${$varname}[$parameter];
          }

       }

   } else {
       die('You must specify at least two arguments');
   }

}

?>

recaptchalib.php

<?php

define("RECAPTCHA_API_SERVER", "http://www.google.com/recaptcha/api");
define("RECAPTCHA_API_SECURE_SERVER", "https://www.google.com/recaptcha/api");
define("RECAPTCHA_VERIFY_SERVER", "www.google.com");

/**
 * Encodes the given data into a query string format
 * @param $data - array of string elements to be encoded
 * @return string - encoded request
 */
function _recaptcha_qsencode ($data) {
        $req = "";
        foreach ( $data as $key => $value )
                $req .= $key . '=' . urlencode( stripslashes($value) ) . '&';

        // Cut the last '&'
        $req=substr($req,0,strlen($req)-1);
        return $req;
}



/**
 * Submits an HTTP POST to a reCAPTCHA server
 * @param string $host
 * @param string $path
 * @param array $data
 * @param int port
 * @return array response
 */
function _recaptcha_http_post($host, $path, $data, $port = 80) {

        $req = _recaptcha_qsencode ($data);

        $http_request  = "POST $path HTTP/1.0\r\n";
        $http_request .= "Host: $host\r\n";
        $http_request .= "Content-Type: application/x-www-form-urlencoded;\r\n";
        $http_request .= "Content-Length: " . strlen($req) . "\r\n";
        $http_request .= "User-Agent: reCAPTCHA/PHP\r\n";
        $http_request .= "\r\n";
        $http_request .= $req;

        $response = '';
        if( false == ( $fs = @fsockopen($host, $port, $errno, $errstr, 10) ) ) {
                die ('Could not open socket');
        }

        fwrite($fs, $http_request);

        while ( !feof($fs) )
                $response .= fgets($fs, 1160); // One TCP-IP packet
        fclose($fs);
        $response = explode("\r\n\r\n", $response, 2);

        return $response;
}



/**
 * Gets the challenge HTML (javascript and non-javascript version).
 * This is called from the browser, and the resulting reCAPTCHA HTML widget
 * is embedded within the HTML form it was called from.
 * @param string $pubkey A public key for reCAPTCHA
 * @param string $error The error given by reCAPTCHA (optional, default is null)
 * @param boolean $use_ssl Should the request be made over ssl? (optional, default is false)

 * @return string - The HTML to be embedded in the user's form.
 */
function recaptcha_get_html ($pubkey, $error = null, $use_ssl = false)
{
    if ($pubkey == null || $pubkey == '') {
        die ("To use reCAPTCHA you must get an API key from <a href='https://www.google.com/recaptcha/admin/create'>https://www.google.com/recaptcha/admin/create</a>");
    }

    if ($use_ssl) {
                $server = RECAPTCHA_API_SECURE_SERVER;
        } else {
                $server = RECAPTCHA_API_SERVER;
        }

        $errorpart = "";
        if ($error) {
           $errorpart = "&amp;error=" . $error;
        }
        return '<script type="text/javascript" src="'. $server . '/challenge?k=' . $pubkey . $errorpart . '"></script>

    <noscript>
        <iframe src="'. $server . '/noscript?k=' . $pubkey . $errorpart . '" height="300" width="500" frameborder="0"></iframe><br/>
        <textarea name="recaptcha_challenge_field" rows="3" cols="40"></textarea>
        <input type="hidden" name="recaptcha_response_field" value="manual_challenge"/>
    </noscript>';
}




/**
 * A ReCaptchaResponse is returned from recaptcha_check_answer()
 */
class ReCaptchaResponse {
        var $is_valid;
        var $error;
}


/**
  * Calls an HTTP POST function to verify if the user's guess was correct
  * @param string $privkey
  * @param string $remoteip
  * @param string $challenge
  * @param string $response
  * @param array $extra_params an array of extra variables to post to the server
  * @return ReCaptchaResponse
  */
function recaptcha_check_answer ($privkey, $remoteip, $challenge, $response, $extra_params = array())
{
    if ($privkey == null || $privkey == '') {
        die ("To use reCAPTCHA you must get an API key from <a href='https://www.google.com/recaptcha/admin/create'>https://www.google.com/recaptcha/admin/create</a>");
    }

    if ($remoteip == null || $remoteip == '') {
        die ("For security reasons, you must pass the remote ip to reCAPTCHA");
    }



        //discard spam submissions
        if ($challenge == null || strlen($challenge) == 0 || $response == null || strlen($response) == 0) {
                $recaptcha_response = new ReCaptchaResponse();
                $recaptcha_response->is_valid = false;
                $recaptcha_response->error = 'incorrect-captcha-sol';
                return $recaptcha_response;
        }

        $response = _recaptcha_http_post (RECAPTCHA_VERIFY_SERVER, "/recaptcha/api/verify",
                                          array (
                                                 'privatekey' => $privkey,
                                                 'remoteip' => $remoteip,
                                                 'challenge' => $challenge,
                                                 'response' => $response
                                                 ) + $extra_params
                                          );

        $answers = explode ("\n", $response [1]);
        $recaptcha_response = new ReCaptchaResponse();

        if (trim ($answers [0]) == 'true') {
                $recaptcha_response->is_valid = true;
        }
        else {
                $recaptcha_response->is_valid = false;
                $recaptcha_response->error = $answers [1];
        }
        return $recaptcha_response;

}

/**
 * gets a URL where the user can sign up for reCAPTCHA. If your application
 * has a configuration page where you enter a key, you should provide a link
 * using this function.
 * @param string $domain The domain where the page is hosted
 * @param string $appname The name of your application
 */
function recaptcha_get_signup_url ($domain = null, $appname = null) {
    return "https://www.google.com/recaptcha/admin/create?" .  _recaptcha_qsencode (array ('domains' => $domain, 'app' => $appname));
}

function _recaptcha_aes_pad($val) {
    $block_size = 16;
    $numpad = $block_size - (strlen ($val) % $block_size);
    return str_pad($val, strlen ($val) + $numpad, chr($numpad));
}

/* Mailhide related code */

function _recaptcha_aes_encrypt($val,$ky) {
    if (! function_exists ("mcrypt_encrypt")) {
        die ("To use reCAPTCHA Mailhide, you need to have the mcrypt php module installed.");
    }
    $mode=MCRYPT_MODE_CBC;   
    $enc=MCRYPT_RIJNDAEL_128;
    $val=_recaptcha_aes_pad($val);
    return mcrypt_encrypt($enc, $ky, $val, $mode, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0");
}


function _recaptcha_mailhide_urlbase64 ($x) {
    return strtr(base64_encode ($x), '+/', '-_');
}

/* gets the reCAPTCHA Mailhide url for a given email, public key and private key */
function recaptcha_mailhide_url($pubkey, $privkey, $email) {
    if ($pubkey == '' || $pubkey == null || $privkey == "" || $privkey == null) {
        die ("To use reCAPTCHA Mailhide, you have to sign up for a public and private key, " .
             "you can do so at <a href='http://www.google.com/recaptcha/mailhide/apikey'>http://www.google.com/recaptcha/mailhide/apikey</a>");
    }


    $ky = pack('H*', $privkey);
    $cryptmail = _recaptcha_aes_encrypt ($email, $ky);

    return "http://www.google.com/recaptcha/mailhide/d?k=" . $pubkey . "&c=" . _recaptcha_mailhide_urlbase64 ($cryptmail);
}

/**
 * gets the parts of the email to expose to the user.
 * eg, given johndoe@example,com return ["john", "example.com"].
 * the email is then displayed as john...@example.com
 */
function _recaptcha_mailhide_email_parts ($email) {
    $arr = preg_split("/@/", $email );

    if (strlen ($arr[0]) <= 4) {
        $arr[0] = substr ($arr[0], 0, 1);
    } else if (strlen ($arr[0]) <= 6) {
        $arr[0] = substr ($arr[0], 0, 3);
    } else {
        $arr[0] = substr ($arr[0], 0, 4);
    }
    return $arr;
}

/**
 * Gets html to display an email address given a public an private key.
 * to get a key, go to:
 *
 * http://www.google.com/recaptcha/mailhide/apikey
 */
function recaptcha_mailhide_html($pubkey, $privkey, $email) {
    $emailparts = _recaptcha_mailhide_email_parts ($email);
    $url = recaptcha_mailhide_url ($pubkey, $privkey, $email);

    return htmlentities($emailparts[0]) . "<a href='" . htmlentities ($url) .
        "' onclick=\"window.open('" . htmlentities ($url) . "', '', 'toolbar=0,scrollbars=0,location=0,statusbar=0,menubar=0,resizable=0,width=500,height=300'); return false;\" title=\"Reveal this e-mail address\">...</a>@" . htmlentities ($emailparts [1]);

}


?>

Any help would be appreciated. I have been in touch with my hosting company asking for support as the form is built with software they recommend, the only help they offered was to go to an online forum and ask for help.

I have created many 'contact forms' etc before and never had this problem.

Thanks in advance for any help.

Junior Chubb
  • 17
  • 1
  • 3
  • 1
    Phishing attacks are attacks on humans with forms/links similar to yours, nothing to do with code (well, you can kind of prevent it, but that would involve HTTPS and some big warning to check the browser bar for the people who don't understand). Your hosting company is utterly stupid (now if it was CSRF/XSS, that would be your issue). – Amelia May 13 '13 at 11:49
  • 1
    Also, use `$_SERVER`, `$_POST` etc. `HTTP_*_VARS` was deprecated years ago. – Amelia May 13 '13 at 11:54

2 Answers2

2

The problem is that the code you've posted is vulnerable to being hacked via the mail headers.

The intention for this code is that it will always send emails to you, and only you, but it is possible for your email headers to be manipulated such that the email is rewritten with unintended content and sent to arbitrary recipients.

In other words, for someone who knows how to attack it, you've got an open email system capable of sending anything to anyone, completely anonymously.

The core of your problem is here:

$headers = 'From:' .$Name. ' made a booking enquiry' . "\r\n" .
        'Reply-To:' . $Email . "\r\n";

Both $Name and $Email can be used to attack the system by injecting additional \r\n sequences and other headers.

You need to sanitise these fields, and any other headers you may be using to prevent this kind of attack.

This kind of thing exposes the weaknesses of PHP's built-in mail() function. It is very easy to write a vulnerable mailer using this function.

My advice is to use a better mailer class such as phpMailer instead of PHP's built-in mail() function.

phpMailer does all the hard work for you of sanitising the input and making it difficult for an attacker to hack your system. Yes, you could fix your code to handle all this yourself, but it's a lot of work and you'll never be completely certain you've covered everything. So use a class like phpMailer, because they've already done all that work for you.

Basically, once you've installed phpMailer, you would replace this code:

$subject = 'Louis Villa booking enquiry';
$headers = 'From:' .$Name. ' made a booking enquiry' . "\r\n" .
        'Reply-To:' . $Email . "\r\n";
mail("info@louisvilla.com",$subject,$message,$headers);

...with this:

require 'class.phpmailer.php';
$mail = new PHPMailer;
$mail->From = $Email;
$mail->FromName = $Name;
$mail->AddAddress('info@louisvilla.com');
$mail->Subject = $subject;
$mail->Body    = $message;
if(!$mail->Send()) {
   echo 'Message could not be sent.';
   echo 'Mailer Error: ' . $mail->ErrorInfo;
   exit;
}

Neater code, and more secure. A win all-round.

Hope that helps.

Spudley
  • 166,037
  • 39
  • 233
  • 307
1

If a hosting company is removing content because of "phishing attacks" (claiming you are vulnerable to them), you can either ditch them or sue them for being irresponsible hosts. Phishing is something that literally any site can be vulnerable to; it's an attack on humans, not a site.

Similar to social engineering, pretty much the only thing you can do is educate users. (NB: You can also use signed email with proper DKIM/SPF records, and Gmail wont flag you as spam as easily, too, but that's about the limit that you can go to)

In addition (though this part should be on code review ideally)

  • You are mixing $_SERVER (which is correct), and $HTTP_SERVER_VARS (which has been deprecated for many years and throws E_DEPRECATED in the error log).
  • You appear to have globalled the HTTP_*_VARS; this is not needed, as $_POST/GET/SESSION/... are all superglobals.
  • Your email regex is not valid; regex can't validate email (email grammar is not regular, hence regular expressions will not work 100% of the time).
  • You aren't protecting against CSRF. See Jeff's blog post about it.

The only thing I can think of that would cause your host to legitimately take down content is if they believed you were the one phishing, however given their response about finding help on a forum after this, I'd say they are just highly unprofessional.

EDIT: after I slapped myself for not seeing what @Spudley saw, it appears people have been using your scripts to send phishing attacks to people. Your hosting company knew that your script was sending them, but simply removed them and failed to tell you it was being exploited (and probably without assuming good faith, either)

Community
  • 1
  • 1
Amelia
  • 2,967
  • 2
  • 24
  • 39
  • Hi Hiroto,Thanks for the response. I am very frustrated by the hosting company but I did not choose them. My client was already using them, I will recommend changing. However if they do not want to incur the costs, would your recomended changes to the code help towards solving the problem? – Junior Chubb May 13 '13 at 12:25
  • 1
    Thought I'd quickly add that, for validating e-mail, all you can do is check that the address posted through is **at least an attempt at an e-mail address**. For this, give `filter_var($email, FILTER_VALIDATE_EMAIL)` a try. – Jimbo May 13 '13 at 12:29
  • @JuniorChubb see Spudley's answer for an exploit fix, but both answers combined would give better, more secure code (especially the CSRF + regex comments). – Amelia May 13 '13 at 12:31
  • Cheers H, Hope you didn't hurt yourself hitting your head with a hammer. :-) I don't know why they closed the question, it was ambiguous, vague and incomplete because I didn't have a clue what was going on. – Junior Chubb May 20 '13 at 20:04