Form field security issues

nullwired · 06-27-2009, 12:06 PM

A month or two ago I was browsing through my file directory with my web host. I noticed several files, primarily .php files, that I had not uploaded. Similarly, I had been receiving strange emails regularly, with subject lines and content containing random, meaningless characters.

After some thought, it was obvious that my contact form was being misused to upload these files. While I'm familiar with the term "SQL injection" I don't have much of an understanding of the concept, or the process.

I am currently assembling a site that requires the use of an upload form, and search form. While I have done some googling first, I've been unable to find anything I can decipher, as a solution to this security issue.

I'm hoping someone, with experience in this, would be able to point me in the right direction of securing my form fields from this type of attack.

Thanks,
Eric.

Costin Trifan · 06-27-2009, 12:28 PM

excuse me, but you are using/allowing your contact form to upload files??

if your form has the enctype attribute set to "multipart/form-data", like this:

Code:

<form enctype="multipart/form-data" ....>

you should remove it. And you shouldn't have set your contact form to allow file uploads. use a special form/page for that.

nullwired · 06-27-2009, 10:10 PM

The contact form was not allowing uploads, thats a separate form on a separate website. The contact form was a simple php script to send the contents of a text field to my e-mail address. It was somehow being used to upload files to my server.

Obviously if that can be done using a simple text form field, you can see my concern for using an upload form.

Costin Trifan · 06-28-2009, 08:09 AM

Technically speaking, you cannot do that. Mainly because to be able to upload a file to a server you need a file upload control(the file input tag), then you have to use the $_FILES array on your code and copy the file to a specified location.

But then you say that

Quote:

The contact form was a simple php script to send the contents of a text field to my e-mail address.

which confuses me...because a simple contact form would normally not have a file upload control or even touch the $_FILES array in the code behind file.

Maybe you are looking into the wrong direction and the contact form is not the one with problems here, maybe the other form you were talking about?

To avoid some headaches, you can just have your contact form validation file look like this:

PHP Code:


		
			
<?php

    if ($_SERVER['REQUEST_METHOD'] == 'POST')

    {

                // Sanitize posted data

        $subject = trim(stripslashes(strip_tags($_POST['subject'])));

        //

        //... continue with the rest of your form's controls

        

        //.. validate the posted data

        if (empty($subject))

            exit('You need to provide a subject');

        if (strlen($subject) > 125)

            exit('The subject is too long');

        //

        //... etc...

    }

    else exit('Invalid request method');

?>

HiVelocity · 06-28-2009, 04:50 PM

Is there any iframe you could see in the codes of hacked files you mentioned. It can be either cross site scripting. I would suggest you use suPHP or suhosin for this.

nullwired · 06-30-2009, 09:48 PM

Quote:

Originally Posted by Costin Trifan

...to upload a file to a server you need a file upload control...

I don't quite understand it myself. But I can almost refute that with certainty, because for the longest time I would see random files in random places in my public_html directory. I was also getting odd emails with subjects, bodies, and return addresses all saying fhdklsaghs ffhdksla@fhadskl.fdas. One day I got one with the subject "nice site host" which spurred some curiosity. Coincidently I had a new file sitting in the root directory. Well as soon as I took the contact form down, I stopped receiving e-mails, and about 3 months later have not had any mysterious files show up.

Quote:

Originally Posted by HiVelocity

Is there any iframe you could see in the codes of hacked files you mentioned.

No iframes in anything I looked at, although I didn't save any of it. Most of what was uploaded were php and js scripts that I couldn't make much sense of. I remember speaking with someone who suggested the idea of creating a call for a script that doesn't exist, while providing the contents of the script, and somehow making the server read the contents you provide. He couldn't offer any explanation other than that.

PHP Code:


		
			
<?php

$to = "";

$subject = $_REQUEST['subject'] ;

$email = $_REQUEST['email'] ;

$message = $_REQUEST['message'] ;

$headers = "From: $email";

$sent = mail($to, $subject, $message, $headers) ;

if($sent)

{print "Your message was sent successfully"; }

else

{print "There was an error in sending your message"; }

?>

That was my code.

Thanks for suggesting suPHP/suhosin I'll have to check those out when I can.

**Hades** · 07-01-2009, 08:07 AM

If the files stopped appearing 3 months after you removed the contact form then it's very possible that it wasn't the cause of the issue.

There are firefox plugins to manipulate inputs of forms, you don't need an input-file tag to put a file in there, but those files would eventually end up in the server temporary directory (not in your http public directory). So if the OP says he's sure there are no upload mechanisms, there must be something else. Maybe somebody stole your FTP password? Check in your control panel or contact your hosting, they probably have an access log.

As for your question in the first post of how to create safe upload forms:

1-I suggest you reading this article:http://www.acunetix.com/websitesecur...rms-threat.htm which gives some advice on the main security issues when doing uploads.
2-check this php class: Safe Upload. Which takes care of some of the issues mentioned by the article. It allows you to do uploads and also performs several validations according to how you set it up.

Costin Trifan · 07-01-2009, 02:19 PM

very good articles, H.