I came across this when one of my client’s contact form was hijacked and my server IP got black listed. I figured out the problem with the help of Outblaze guys and fixed the issues with the form but that was not the fixed solution to this.

Now what is contact form hijacking?

The spammers pass invalid characters in headers through the form fields using bots / scripts.
For example, they pass BCC header with MANY emails in any of the form fields and send out emails. They even modify the values passed in subject variable if its not fixed. In my case they were sending “diet pills” spam mail using that form.

This works if we do not check for invalid characters in the form validation.

Example of it would be following code:

"sender@anonymous.www%0ACc:recipient@someothersite.xxx%0ABcc:somebloke@grrrr.xxx,someotherbloke@oooops.xxx"

This code adds CC and BCC field in the headers and the email will go to these people as well.

How to stop it from our side and make the forms secure?

If we check for CC and BCC or say recurrence of @ character on action page then it can be stopped. And we can log that IP and other details and take action. (Report spammer’s IP or something)

In PHP you can write a function which will do all necessary cleanup, code on this page would help you with it.

Many people say that it can be stopped by using Captchas (image verification scripts) but these days there are scripts which can decode Captchas too. No kidding, here is the link which shows working example of captcha decoder script.

How to stop it from server side?

Since I run web hosting company so it is difficult to check each and every form used by clients, sit on it and clean it.

I then enabled few things on server side, i.e. I allowed only 100 emails to be sent from one domain in an hour. 2nd thing was I installed mod_security module to take care of these spam mails.

If you are linux server admin then you should know what mod_security is and what it does. I must say it is a very powerful module; you can set rules in it and delete spam mails being sent from your server. It also allows many other rules like disabling few PHPBB and other exploits. Disabling XSS and SQL injections etc….

I just had to add 2 lines to stop spam mails. The code will check for BCC headers and allow only 20 addresses in BCC per mail.

I am reading lot of stuff on mod_security and learning the stuff so I can try my level best to save the server from these kind of attacks.

Good reads for contact form hijacking would be:

For end users:

- Info on email injection
- Secured PHP contact form
- Project Killbot

For server admins:

- Info on form hijacking
- mod_security home page
- mod_security rules

I think they have started sending invitations to the ones who had subscribed to “Receive gmail updates in mail”

so in that mail..there is a link to “unsubscribe yourself” from the list…

I clicked it and tried entering script code in that…it did not work…I tried again by adding ” and then finally it worked after adding “> in variable email

Wanna see it action ?

Check the screenshot

You will see javascript alert saying “Hi”, I am sure you know what all you can do with it

I have already mail google security team about this, I think they should fix this small issue in few hours…

UPDATE: They are so quick….I got reply from them in less than an hour…very impressive…. where our Indiatimes, They have still not replied to my mail…they should learn something from google..

This is what I got from them

Hi Deep,

Thanks for letting us know! We will fix this problem as soon as possible.

Also, if you would like a Google T-shirt, please send us your mailing address and t-shirt size, and we’ll send a shirt.

Thanks
Google Security Team

Some great links for you…

Take a look at this great post in ServerMatrix forums, points are very well explained….and extremely useful

Couple of more great resourses include Dedicated Server Tutorials & Web Host Gear

cheers
Deep

I have informed Indiatimes about it but till now I haven’t got any response from them

What is this security hole all about?
In simple words, a person can ask you to click on the link and once you click on it, he can do whatever he wants…he can show Login Page or page asking for credit card details…

And once you enter the details..everything will be mail to him…infact he may try to do lot more than that..he may try to exploit the loopholes in your system…

I have submitted this to BugTraq also…

Wanna read technical Details? Sure…thing..click on “More” link…

Technical Details… (I have sent same to Bugtraq mailing list also)

——————————————————————-
Name : IndiaTimes Shopping – XSS Vulnerability
WebSite : http://shopping.indiatimes.com
Date : January 29, 2005
Vuln Type : Cross site scripting
Severity : Moderate
Vendor : Unknown

HomePage : www.indiatimes.com

——————————————————————-
SITE DESCRIPTION:
——————————————————————-
Indiatimes Shopping provides an ideal platform for Clients/ Merchants to set up a shop and enable themselves to reach directly to the consumer. Indiatimes has enabled more than 200 brands/ manufacturers/ service providers. With business volumes growing at the rate of 200%, Indiatimes is constantly adding new merchants/ sellers to its marketplace and retaining the successful ones.

——————————————————————-
VULNERABILITY INFO:
——————————————————————-

The security hole is basically on page

What is happening?

When they are listing the products in the page, they are also passing page title in the query string.
But while passing the title, they have not used any function like htmlentities() (which we use in PHP) so because of this, the query string allows me to pass HTML code using Javascript…

For example…

When you go to this page

And click on any product, you will see that it passes variable in title & in the query string with name of the product.

And they are printing value of same variable in Page Title and to show current location (Indiatimes > Shopping > Category > Product Name (From title variable)

This is the page I am talking about….

Now if you replace page title with JavaScript code then instead of showing code as it is, it executes the code i.e. does not show the code as plain text.

UPDATE: 14th Feb 2005

Example of code can be following

This will redirect to page http://whoisdeep.com/indcr.html and show fake login page

This is just a simple example, I am sure that you can do a lot more things with this XSS vulnerability.

We can also use this security hole with latest vulnerability in non IE browsers i.e. Firefox, Opera etc… (make this more real so that even techie person might find it real)

How?

In recent exploit found by Shmoo, you can spoof the domain address. User will see it as Indiatimes.com but in reality the domain name will be something else.

For example, visit this page

Clicking on any of the two links in the above webpage using anything but IE should result in a spoofed paypal.com webpage.

The links are directed at “http://www.pаypal.com/”, which the browsers punycode handlers render as www.xn--pypal-4ve.com.

For detailed information about this exploit you can visit this page

This is just a simple example, I am sure that you can do a lot more things with this XSS vulnerability.

——————————————————————-
IMPACT:
——————————————————————-
Exploit can be used in fraud emails asking users to enter their personal details like Login, Password, Credit Card info etc…

——————————————————————-
SOLUTION:
——————————————————————-
I have mailed them about the same yesterday but there has been no response from their side.