Topic: Possible spam vulnerability with 2.0 RC5

[vampi the frog]

Hey guys. I've been running 2.0 for a while, and at some point I started receiving strange emails, which I later determined that are sent from the forum, possibly by some fak accounts. The forum is for a small gaming community, so suspicious accounts are immediately visible. Other users have reported the same type of messages in their inbox.

The emails were of the following form:

From: <random fake address> forum@ourwebsite
Subject: random characters

Some compliments with typos

where forum@ourwebsite is our legitimate forum do-not-reply address (at some point i changed it to forum to check if they're using the forum settings to send spam, and sure enough, they were. That meant they were using some script in the code. I have replaced our website's address with ourwebsite in the following pastes:

Code: [Select]

To: my.email@gmail.com
Subject: FgMBhtqoPqhdSeTh
From: "nkjog@uni-miskolc.hu" <forum@ourwebsite>
Reply-To: <nkjog@uni-miskolc.hu>
Date: Sun, 24 Apr 2011 14:10:34 -0000
X-Mailer: SMF
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="SMF-f35955c1b47d312d682523c41251c0e6"
Content-Transfer-Encoding: 7bit
Message-Id: <20110424141034.DEFDBAE23CB@evo.localdomain>

That's the best aswner of all time! JMHO
--SMF-f35955c1b47d312d682523c41251c0e6
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

That's the best aswner of all time! JMHO
--SMF-f35955c1b47d312d682523c41251c0e6--

So I figured I should log these emails and I found the sendmail() file in Sources/Subs-Post.php, and I added some logging functionality. I later added the return false if the y_email field is set (this is my simple solution):

Code: [Select]

// Send off an email.
// Send off an email.
function sendmail($to, $subject, $message, $from = null, $message_id = null, $send_html = false, $priority = 3, $hotmail_fix =
 null, $is_private = false)
{
        $f = fopen("mail-log.txt", "a");
        fprintf($f, "sendmail -> to=$to, subject=$subject, message=$message, from=$from, message_id=$message_id, priority=$priority, hotmail_fix=$hotmail_fix, is_private=$is_private\n");
        fprintf($f, '$_SERVER='.var_export($_SERVER, true));
        fprintf($f, "\n");
        fprintf($f, '$_POST='.var_export($_POST, true)."\n");
        fprintf($f, '$_SESSION='.var_export($_SESSION, true)."\n");
        fprintf($f, "backtrace=".var_export(debug_backtrace(), true)."\n");
        if(isset($_POST['y_email'])) {
          fprintf($f, "Caught spammer!\n");
          fclose($f);
          return false;
        }
        fclose($f);

        .
        .
        .
        rest of code

Here is what that logged for the example email above:

Code: [Select]

sendmail -> to=my.email@gmail.com, subject=FgMBhtqoPqhdSeTh, message=That's the best aswner of all time! JMHO, from=n
kjog@uni-miskolc.hu, message_id=, priority=1, hotmail_fix=, is_private=1
$_SERVER=array (
  'HTTP_USER_AGENT' => 'Mozilla/5.0 (Windows NT 5.1; U; en) Opera 8.01',
  'HTTP_ACCEPT' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
  'HTTP_HOST' => 'ourwebsite',
  'HTTP_REFERER' => 'http://ourwebsite/forum/index.php?PHPSESSID=049518482f96814dc01dd8fef1df4fd1&action=emailuser;sa=ema
il;msg=1490',
  'CONTENT_LENGTH' => '190',
  'CONTENT_TYPE' => 'application/x-www-form-urlencoded',
  'HTTP_COOKIE' => 'PHPSESSID=049518482f96814dc01dd8fef1df4fd1',
  'HTTP_VIA' => '1.1 www.blucomputadores.com.br:3128 (squid/2.6.STABLE21)',
  'HTTP_CACHE_CONTROL' => 'max-age=259200',
  'HTTP_CONNECTION' => 'keep-alive',
  'PATH' => '/usr/local/bin:/usr/bin:/bin',
  'SERVER_SIGNATURE' => '<address>Apache/2.2.16 (Debian) Server at ourwebsite Port 80</address>
',
  'SERVER_SOFTWARE' => 'Apache/2.2.16 (Debian)',
  'SERVER_NAME' => 'ourwebsite',
  'SERVER_ADDR' => '192.168.2.120',
  'SERVER_PORT' => '80',
  'REMOTE_ADDR' => '187.112.244.124',
  'DOCUMENT_ROOT' => '/var/www/ourwebsite,
  'SERVER_ADMIN' => 'webmaster@localhost',
  'SCRIPT_FILENAME' => '/var/www/ourwebsite/forum/index.php',
  'REMOTE_PORT' => '41108',
  'GATEWAY_INTERFACE' => 'CGI/1.1',
  'SERVER_PROTOCOL' => 'HTTP/1.0',
  'REQUEST_METHOD' => 'POST',
  'QUERY_STRING' => 'action=emailuser;sa=email',
  'REQUEST_URI' => '/forum/index.php?action=emailuser;sa=email',
  'SCRIPT_NAME' => '/forum/index.php',
  'PHP_SELF' => '/forum/index.php',
  'REQUEST_TIME' => 1303654234,
  'argv' =>
  array (
    0 => 'action=emailuser;sa=email',
  ),
  'argc' => 1,
  'BAN_CHECK_IP' => '187.112.244.124',
  'REQUEST_URL' => 'http://ourwebsite/forum/index.php?action=emailuser;sa=email',
)
$_POST=array (
  'y_name' => 'Leatrix',
  'y_email' => 'nkjog@uni-miskolc.hu',
  'email_subject' => 'FgMBhtqoPqhdSeTh',
  'email_body' => 'That\'s the best aswner of all time! JMHO',
  'send' => 'Send',
  'msg' => '1490',
  'a59c5d5d9' => 'dba94240db290d46ce7ce0b2052163f6',
)
$_SESSION=array (
  'session_value' => 'dba94240db290d46ce7ce0b2052163f6',
  'session_var' => 'a59c5d5d9',
  'mc' =>
  array (
    'time' => 1303654195,
    'id' => 0,
    'gq' => '0=1',
    'bq' => '0=1',
    'ap' =>
    array (
    ),
    'mb' =>
    array (
    ),
    'mq' => '0=1',
  ),
  'ban' =>
  array (
    'last_checked' => 1303654195,
    'id_member' => 0,
    'ip' => '187.112.244.124',
    'ip2' => '187.112.244.124',
    'email' => '',
  ),
  'log_time' => 1303654233,
  'timeOnlineUpdated' => 1303654196,
  'last_read_topic' => 278,
  'old_url' => 'http://ourwebsite/forum/index.php?PHPSESSID=049518482f96814dc01dd8fef1df4fd1&action=emailuser;sa=email;ms
g=1490',
  'USER_AGENT' => 'Mozilla/5.0 (Windows NT 5.1; U; en) Opera 8.01',
  'register_vv' =>
  array (
    'count' => 1,
    'errors' => 0,
    'did_pass' => false,
    'q' =>
    array (
    ),
    'code' => 'CXWTTR',
  ),
)
backtrace=array (
  0 =>
  array (
    'file' => '/var/www/ourwebsite/forum/Sources/SendTopic.php',
    'line' => 287,
    'function' => 'sendmail',
    'args' =>
    array (
      0 => 'my.email@gmail.com',
      1 => 'FgMBhtqoPqhdSeTh',
      2 => 'That\'s the best aswner of all time! JMHO',
      3 => 'nkjog@uni-miskolc.hu',
      4 => NULL,
      5 => false,
      6 => 1,
      7 => NULL,
      8 => true,
    ),
  ),
  1 =>
  array (
    'file' => '/var/www/ourwebsite/forum/Sources/SendTopic.php',
    'line' => 78,
    'function' => 'CustomEmail',
    'args' =>
    array (
    ),
  ),
  2 =>
  array (
    'function' => 'EmailUser',
    'args' =>
    array (
    ),
  ),
  3 =>
  array (
    'file' => '/var/www/ourwebsite/forum/index.php',
    'line' => 162,
    'function' => 'call_user_func',
    'args' =>
    array (
      0 => 'EmailUser',
    ),
  ),
)



I haven't received any of these in a while, so I haven't been able to see if my fix works. But you guys probably know better about the y_email and y_name fields in $_POST, and what their purpose is.

So yeah that's my bug report

[vampi the frog]

I also need to mention they weren't from the same IP.

[emanuele]

Probably you have the "Send topics to friends" permission enabled for guests, and then guests (and spammers too I can assume) can send emails to everybody.

[emanuele]

Sorry, I misunderstood your point here, of course it's a potential source of spam.

I submitted a mod to introduce the visual verification, if you would like to test it feel free to send me a PM.

[Aleksi "Lex" Kilpinen]

The actual E-mail a member function of SMF 2.0 would sound like the cause -
The url "'http://ourwebsite/forum/index.php?action=emailuser;sa=email'" is exactly for that function.
( The envelope image below people's profiles in topic view that leads to an e-mail form )

The form can be used to send e-mail directly to a user, using the forum's e-mail address, and masking it as your own (the one in your profile).

So, Check your permissions - thoroughly!

[Illori]

you can also turn off email addresses visible to guests in the admin panel
admin -> security and moderation uncheck allow viewable email addresses and check do not reveal contact details of members to guests

[Illori]

is this still an issue?

[emanuele]

The actual E-mail a member function of SMF 2.0 would sound like the cause -
The url "'http://ourwebsite/forum/index.php?action=emailuser;sa=email'" is exactly for that function.

You are indeed right!

But maybe we should put a captcha there too...for guests of course.

[Aleksi "Lex" Kilpinen]

That would be logical, if it can be allowed for guests, then at least make sure guests need some verification.

[live627]

Or even for members if under a certain post count?

[Aleksi "Lex" Kilpinen]

I would just tie it to the same setting with post verification. That would let the admin set the post count limits and all.

[emanuele]

Added a yesterday a permission for email users, so this should be fixed.