Webmaster Forum

Go Back   Webmaster Forum > Web Development > Coding Forum

Coding Forum Problems with your code? Discuss coding issues, including JavaScript, PHP & MySQL, HTML & CSS, Flash & ActionScript, and more.


Reply
 
LinkBack Thread Tools Display Modes
Share |
  #1 (permalink)  
Old 06-27-2009, 11:06 AM
Junior Member
 
Join Date: 06-27-09
Posts: 3
iTrader: 0 / 0%
Form field security issues

A month or two ago I was browsing through my file directory with my web host. I noticed several files, primarily .php files, that I had not uploaded. Similarly, I had been receiving strange emails regularly, with subject lines and content containing random, meaningless characters.

After some thought, it was obvious that my contact form was being misused to upload these files. While I'm familiar with the term "SQL injection" I don't have much of an understanding of the concept, or the process.

I am currently assembling a site that requires the use of an upload form, and search form. While I have done some googling first, I've been unable to find anything I can decipher, as a solution to this security issue.

I'm hoping someone, with experience in this, would be able to point me in the right direction of securing my form fields from this type of attack.

Thanks,
Eric.
 
Reply With Quote
  #2 (permalink)  
Old 06-27-2009, 11:28 AM
kos's Avatar
kos kos is offline
Coding Tiger
Latest Blog:
Happy New Year 2013

 
Join Date: 04-13-07
Location: .ro
Posts: 4,029
iTrader: 3 / 100%
excuse me, but you are using/allowing your contact form to upload files??

if your form has the enctype attribute set to "multipart/form-data", like this:
Code:
<form enctype="multipart/form-data" ....>
you should remove it. And you shouldn't have set your contact form to allow file uploads. use a special form/page for that.
 
Reply With Quote
  #3 (permalink)  
Old 06-27-2009, 09:10 PM
Junior Member
 
Join Date: 06-27-09
Posts: 3
iTrader: 0 / 0%
The contact form was not allowing uploads, thats a separate form on a separate website. The contact form was a simple php script to send the contents of a text field to my e-mail address. It was somehow being used to upload files to my server.

Obviously if that can be done using a simple text form field, you can see my concern for using an upload form.
 
Reply With Quote
  #4 (permalink)  
Old 06-28-2009, 07:09 AM
kos's Avatar
kos kos is offline
Coding Tiger
Latest Blog:
Happy New Year 2013

 
Join Date: 04-13-07
Location: .ro
Posts: 4,029
iTrader: 3 / 100%
Technically speaking, you cannot do that. Mainly because to be able to upload a file to a server you need a file upload control(the file input tag), then you have to use the $_FILES array on your code and copy the file to a specified location.

But then you say that
Quote:
The contact form was a simple php script to send the contents of a text field to my e-mail address.
which confuses me...because a simple contact form would normally not have a file upload control or even touch the $_FILES array in the code behind file.

Maybe you are looking into the wrong direction and the contact form is not the one with problems here, maybe the other form you were talking about?

To avoid some headaches, you can just have your contact form validation file look like this:
PHP Code:
<?php
    
if ($_SERVER['REQUEST_METHOD'] == 'POST')
    {
                
// Sanitize posted data
        
$subject trim(stripslashes(strip_tags($_POST['subject'])));
        
//
        //... continue with the rest of your form's controls
        
        //.. validate the posted data
        
if (empty($subject))
            exit(
'You need to provide a subject');
        if (
strlen($subject) > 125)
            exit(
'The subject is too long');
        
//
        //... etc...
    
}
    else exit(
'Invalid request method');
?>
 
Reply With Quote
  #5 (permalink)  
Old 06-28-2009, 03:50 PM
HiVelocity's Avatar
Contributing Member
Latest Blog:
None

 
Join Date: 01-22-04
Location: Tampa Fl
Posts: 293
iTrader: 0 / 0%
Is there any iframe you could see in the codes of hacked files you mentioned. It can be either cross site scripting. I would suggest you use suPHP or suhosin for this.
 
Reply With Quote
  #6 (permalink)  
Old 06-30-2009, 08:48 PM
Junior Member
 
Join Date: 06-27-09
Posts: 3
iTrader: 0 / 0%
Quote:
Originally Posted by Costin Trifan View Post
...to upload a file to a server you need a file upload control...
I don't quite understand it myself. But I can almost refute that with certainty, because for the longest time I would see random files in random places in my public_html directory. I was also getting odd emails with subjects, bodies, and return addresses all saying fhdklsaghs ffhdksla@fhadskl.fdas. One day I got one with the subject "nice site host" which spurred some curiosity. Coincidently I had a new file sitting in the root directory. Well as soon as I took the contact form down, I stopped receiving e-mails, and about 3 months later have not had any mysterious files show up.

Quote:
Originally Posted by HiVelocity View Post
Is there any iframe you could see in the codes of hacked files you mentioned.
No iframes in anything I looked at, although I didn't save any of it. Most of what was uploaded were php and js scripts that I couldn't make much sense of. I remember speaking with someone who suggested the idea of creating a call for a script that doesn't exist, while providing the contents of the script, and somehow making the server read the contents you provide. He couldn't offer any explanation other than that.

PHP Code:
<?php
$to 
"";
$subject $_REQUEST['subject'] ;
$email $_REQUEST['email'] ;
$message $_REQUEST['message'] ;
$headers "From: $email";
$sent mail($to$subject$message$headers) ;
if(
$sent)
{print 
"Your message was sent successfully"; }
else
{print 
"There was an error in sending your message"; }
?>
That was my code.

Thanks for suggesting suPHP/suhosin I'll have to check those out when I can.
 
Reply With Quote
  #7 (permalink)  
Old 07-01-2009, 07:07 AM
Hades's Avatar
Senior Web Developer
Latest Blog:
None

 
Join Date: 01-23-07
Location: Argentina
Posts: 2,273
iTrader: 0 / 0%
If the files stopped appearing 3 months after you removed the contact form then it's very possible that it wasn't the cause of the issue.

There are firefox plugins to manipulate inputs of forms, you don't need an input-file tag to put a file in there, but those files would eventually end up in the server temporary directory (not in your http public directory). So if the OP says he's sure there are no upload mechanisms, there must be something else. Maybe somebody stole your FTP password? Check in your control panel or contact your hosting, they probably have an access log.

As for your question in the first post of how to create safe upload forms:

1-I suggest you reading this article:http://www.acunetix.com/websitesecur...rms-threat.htm which gives some advice on the main security issues when doing uploads.
2-check this php class: Safe Upload. Which takes care of some of the issues mentioned by the article. It allows you to do uploads and also performs several validations according to how you set it up.
__________________
Cristian Espinoza ~ Sr. Web Developer
Currently available for Freelance Web Development

(+54 9) 1155 601 661
Skype: espinoza.cristian
 
Reply With Quote
  #8 (permalink)  
Old 07-01-2009, 01:19 PM
kos's Avatar
kos kos is offline
Coding Tiger
Latest Blog:
Happy New Year 2013

 
Join Date: 04-13-07
Location: .ro
Posts: 4,029
iTrader: 3 / 100%
very good articles, H.
 
Reply With Quote
Go Back   Webmaster Forum > Web Development > Coding Forum

Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Dynamic Form Field Bushstar Web Design Lobby 2 03-24-2009 07:00 PM
Your recommended Form Field Validation Javascript bestempire Coding Forum 1 05-30-2006 07:18 AM
Form Field in Subject Line TGR Web Design Lobby 1 10-11-2004 10:08 AM
jump to form field younghistorians Coding Forum 3 06-04-2004 07:45 AM
Changing size of the form field Sonti Coding Forum 1 05-06-2004 02:42 AM


V7N Network
Get exposure! V7N I Love Photography V7N SEO Blog V7N Directory


All times are GMT -7. The time now is 06:44 AM.
Powered by vBulletin
Copyright 2000-2014 Jelsoft Enterprises Limited.
Copyright © 2003 - 2014 Escalate Media




Search Engine Optimization by vBSEO 3.6.0 RC 2 ©2011, Crawlability, Inc.