Advertisement:

Author Topic: Possible spam vulnerability with 2.0 RC5  (Read 5838 times)

Offline vampi the frog

  • Newbie
  • *
  • Posts: 3
Possible spam vulnerability with 2.0 RC5
« on: May 22, 2011, 11:25:41 AM »
Hey guys. I've been running 2.0 for a while, and at some point I started receiving strange emails, which I later determined that are sent from the forum, possibly by some fak accounts. The forum is for a small gaming community, so suspicious accounts are immediately visible. Other users have reported the same type of messages in their inbox.

The emails were of the following form:
Quote
From: <random fake address> forum@ourwebsite
Subject: random characters

Some compliments with typos

where forum@ourwebsite is our legitimate forum do-not-reply address (at some point i changed it to forum to check if they're using the forum settings to send spam, and sure enough, they were. That meant they were using some script in the code. I have replaced our website's address with ourwebsite in the following pastes:

Code: [Select]
To: my.email@gmail.com
Subject: FgMBhtqoPqhdSeTh
From: "nkjog@uni-miskolc.hu" <forum@ourwebsite>
Reply-To: <nkjog@uni-miskolc.hu>
Date: Sun, 24 Apr 2011 14:10:34 -0000
X-Mailer: SMF
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="SMF-f35955c1b47d312d682523c41251c0e6"
Content-Transfer-Encoding: 7bit
Message-Id: <20110424141034.DEFDBAE23CB@evo.localdomain>

That's the best aswner of all time! JMHO
--SMF-f35955c1b47d312d682523c41251c0e6
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

That's the best aswner of all time! JMHO
--SMF-f35955c1b47d312d682523c41251c0e6--

So I figured I should log these emails and I found the sendmail() file in Sources/Subs-Post.php, and I added some logging functionality. I later added the return false if the y_email field is set (this is my simple solution):

Code: [Select]
// Send off an email.
// Send off an email.
function sendmail($to, $subject, $message, $from = null, $message_id = null, $send_html = false, $priority = 3, $hotmail_fix =
 null, $is_private = false)
{
        $f = fopen("mail-log.txt", "a");
        fprintf($f, "sendmail -> to=$to, subject=$subject, message=$message, from=$from, message_id=$message_id, priority=$priority, hotmail_fix=$hotmail_fix, is_private=$is_private\n");
        fprintf($f, '$_SERVER='.var_export($_SERVER, true));
        fprintf($f, "\n");
        fprintf($f, '$_POST='.var_export($_POST, true)."\n");
        fprintf($f, '$_SESSION='.var_export($_SESSION, true)."\n");
        fprintf($f, "backtrace=".var_export(debug_backtrace(), true)."\n");
        if(isset($_POST['y_email'])) {
          fprintf($f, "Caught spammer!\n");
          fclose($f);
          return false;
        }
        fclose($f);

        .
        .
        .
        rest of code

Here is what that logged for the example email above:

Code: [Select]
sendmail -> to=my.email@gmail.com, subject=FgMBhtqoPqhdSeTh, message=That's the best aswner of all time! JMHO, from=n
kjog@uni-miskolc.hu, message_id=, priority=1, hotmail_fix=, is_private=1
$_SERVER=array (
  'HTTP_USER_AGENT' => 'Mozilla/5.0 (Windows NT 5.1; U; en) Opera 8.01',
  'HTTP_ACCEPT' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
  'HTTP_HOST' => 'ourwebsite',
  'HTTP_REFERER' => 'http://ourwebsite/forum/index.php?PHPSESSID=049518482f96814dc01dd8fef1df4fd1&action=emailuser;sa=ema
il;msg=1490',
  'CONTENT_LENGTH' => '190',
  'CONTENT_TYPE' => 'application/x-www-form-urlencoded',
  'HTTP_COOKIE' => 'PHPSESSID=049518482f96814dc01dd8fef1df4fd1',
  'HTTP_VIA' => '1.1 www.blucomputadores.com.br:3128 (squid/2.6.STABLE21)',
  'HTTP_CACHE_CONTROL' => 'max-age=259200',
  'HTTP_CONNECTION' => 'keep-alive',
  'PATH' => '/usr/local/bin:/usr/bin:/bin',
  'SERVER_SIGNATURE' => '<address>Apache/2.2.16 (Debian) Server at ourwebsite Port 80</address>
',
  'SERVER_SOFTWARE' => 'Apache/2.2.16 (Debian)',
  'SERVER_NAME' => 'ourwebsite',
  'SERVER_ADDR' => '192.168.2.120',
  'SERVER_PORT' => '80',
  'REMOTE_ADDR' => '187.112.244.124',
  'DOCUMENT_ROOT' => '/var/www/ourwebsite,
  'SERVER_ADMIN' => 'webmaster@localhost',
  'SCRIPT_FILENAME' => '/var/www/ourwebsite/forum/index.php',
  'REMOTE_PORT' => '41108',
  'GATEWAY_INTERFACE' => 'CGI/1.1',
  'SERVER_PROTOCOL' => 'HTTP/1.0',
  'REQUEST_METHOD' => 'POST',
  'QUERY_STRING' => 'action=emailuser;sa=email',
  'REQUEST_URI' => '/forum/index.php?action=emailuser;sa=email',
  'SCRIPT_NAME' => '/forum/index.php',
  'PHP_SELF' => '/forum/index.php',
  'REQUEST_TIME' => 1303654234,
  'argv' =>
  array (
    0 => 'action=emailuser;sa=email',
  ),
  'argc' => 1,
  'BAN_CHECK_IP' => '187.112.244.124',
  'REQUEST_URL' => 'http://ourwebsite/forum/index.php?action=emailuser;sa=email',
)
$_POST=array (
  'y_name' => 'Leatrix',
  'y_email' => 'nkjog@uni-miskolc.hu',
  'email_subject' => 'FgMBhtqoPqhdSeTh',
  'email_body' => 'That\'s the best aswner of all time! JMHO',
  'send' => 'Send',
  'msg' => '1490',
  'a59c5d5d9' => 'dba94240db290d46ce7ce0b2052163f6',
)
$_SESSION=array (
  'session_value' => 'dba94240db290d46ce7ce0b2052163f6',
  'session_var' => 'a59c5d5d9',
  'mc' =>
  array (
    'time' => 1303654195,
    'id' => 0,
    'gq' => '0=1',
    'bq' => '0=1',
    'ap' =>
    array (
    ),
    'mb' =>
    array (
    ),
    'mq' => '0=1',
  ),
  'ban' =>
  array (
    'last_checked' => 1303654195,
    'id_member' => 0,
    'ip' => '187.112.244.124',
    'ip2' => '187.112.244.124',
    'email' => '',
  ),
  'log_time' => 1303654233,
  'timeOnlineUpdated' => 1303654196,
  'last_read_topic' => 278,
  'old_url' => 'http://ourwebsite/forum/index.php?PHPSESSID=049518482f96814dc01dd8fef1df4fd1&action=emailuser;sa=email;ms
g=1490',
  'USER_AGENT' => 'Mozilla/5.0 (Windows NT 5.1; U; en) Opera 8.01',
  'register_vv' =>
  array (
    'count' => 1,
    'errors' => 0,
    'did_pass' => false,
    'q' =>
    array (
    ),
    'code' => 'CXWTTR',
  ),
)
backtrace=array (
  0 =>
  array (
    'file' => '/var/www/ourwebsite/forum/Sources/SendTopic.php',
    'line' => 287,
    'function' => 'sendmail',
    'args' =>
    array (
      0 => 'my.email@gmail.com',
      1 => 'FgMBhtqoPqhdSeTh',
      2 => 'That\'s the best aswner of all time! JMHO',
      3 => 'nkjog@uni-miskolc.hu',
      4 => NULL,
      5 => false,
      6 => 1,
      7 => NULL,
      8 => true,
    ),
  ),
  1 =>
  array (
    'file' => '/var/www/ourwebsite/forum/Sources/SendTopic.php',
    'line' => 78,
    'function' => 'CustomEmail',
    'args' =>
    array (
    ),
  ),
  2 =>
  array (
    'function' => 'EmailUser',
    'args' =>
    array (
    ),
  ),
  3 =>
  array (
    'file' => '/var/www/ourwebsite/forum/index.php',
    'line' => 162,
    'function' => 'call_user_func',
    'args' =>
    array (
      0 => 'EmailUser',
    ),
  ),
)



I haven't received any of these in a while, so I haven't been able to see if my fix works. But you guys probably know better about the y_email and y_name fields in $_POST, and what their purpose is.

So yeah that's my bug report :)
« Last Edit: December 04, 2011, 02:29:12 AM by Norv »

Offline vampi the frog

  • Newbie
  • *
  • Posts: 3
Re: Possible spam vulnerability with 2.0 RC5
« Reply #1 on: May 22, 2011, 11:26:49 AM »
I also need to mention they weren't from the same IP.

Offline emanuele

  • SMF Super Hero
  • *******
  • Posts: 14,156
  • Gender: Male
  • THERE'S JUST ME
Re: Possible spam vulnerability with 2.0 RC5
« Reply #2 on: May 22, 2011, 12:16:05 PM »
Probably you have the "Send topics to friends" permission enabled for guests, and then guests (and spammers too I can assume) can send emails to everybody.


Take a peek at what I'm doing! ;D



Hai bisogno di supporto in Italiano?

Aiutateci ad aiutarvi: spiegate bene il vostro problema: no, "non funziona" non è una spiegazione!!
1) Cosa fai,
2) cosa ti aspetti,
3) cosa ottieni.

Offline emanuele

  • SMF Super Hero
  • *******
  • Posts: 14,156
  • Gender: Male
  • THERE'S JUST ME
Re: Possible spam vulnerability with 2.0 RC5
« Reply #3 on: May 25, 2011, 04:37:56 AM »
Sorry, I misunderstood your point here, of course it's a potential source of spam.

I submitted a mod to introduce the visual verification, if you would like to test it feel free to send me a PM. :)


Take a peek at what I'm doing! ;D



Hai bisogno di supporto in Italiano?

Aiutateci ad aiutarvi: spiegate bene il vostro problema: no, "non funziona" non è una spiegazione!!
1) Cosa fai,
2) cosa ti aspetti,
3) cosa ottieni.

Offline Aleksi "Lex" Kilpinen

  • Support Specialist
  • SMF Super Hero
  • *
  • Posts: 16,537
  • Gender: Male
  • Don't worry, I'm n00b friendly
    • Aleksi.Kilpinen on Facebook
    • aleksi-kilpinen on LinkedIn
Re: Possible spam vulnerability with 2.0 RC5
« Reply #4 on: May 25, 2011, 05:59:37 AM »
The actual E-mail a member function of SMF 2.0 would sound like the cause -
The url "'http://ourwebsite/forum/index.php?action=emailuser;sa=email'" is exactly for that function.
( The envelope image below people's profiles in topic view that leads to an e-mail form ;) )

The form can be used to send e-mail directly to a user, using the forum's e-mail address, and masking it as your own (the one in your profile).

So, Check your permissions - thoroughly!
A Finnish Support Specialist
 Happily running multiple SMF 2.0 installations.

"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum.
 Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

Offline Illori

  • Project Manager
  • SMF Master
  • *
  • Posts: 48,953
Re: Possible spam vulnerability with 2.0 RC5
« Reply #5 on: May 25, 2011, 06:10:54 AM »
you can also turn off email addresses visible to guests in the admin panel
admin -> security and moderation uncheck allow viewable email addresses and check do not reveal contact details of members to guests

Offline Illori

  • Project Manager
  • SMF Master
  • *
  • Posts: 48,953
Re: Possible spam vulnerability with 2.0 RC5
« Reply #6 on: November 18, 2011, 09:05:45 AM »
is this still an issue?

Offline emanuele

  • SMF Super Hero
  • *******
  • Posts: 14,156
  • Gender: Male
  • THERE'S JUST ME
Re: Possible spam vulnerability with 2.0 RC5
« Reply #7 on: November 19, 2011, 04:17:10 PM »
The actual E-mail a member function of SMF 2.0 would sound like the cause -
The url "'http://ourwebsite/forum/index.php?action=emailuser;sa=email'" is exactly for that function.
You are indeed right!

But maybe we should put a captcha there too...for guests of course.


Take a peek at what I'm doing! ;D



Hai bisogno di supporto in Italiano?

Aiutateci ad aiutarvi: spiegate bene il vostro problema: no, "non funziona" non è una spiegazione!!
1) Cosa fai,
2) cosa ti aspetti,
3) cosa ottieni.

Offline Aleksi "Lex" Kilpinen

  • Support Specialist
  • SMF Super Hero
  • *
  • Posts: 16,537
  • Gender: Male
  • Don't worry, I'm n00b friendly
    • Aleksi.Kilpinen on Facebook
    • aleksi-kilpinen on LinkedIn
Re: Possible spam vulnerability with 2.0 RC5
« Reply #8 on: November 19, 2011, 11:31:02 PM »
That would be logical, if it can be allowed for guests, then at least make sure guests need some verification.
A Finnish Support Specialist
 Happily running multiple SMF 2.0 installations.

"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum.
 Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

Offline live627

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 5,272
  • Gender: Male
  • Cat: Destroy!
    • live627 on Facebook
    • live627 on GitHub
    • live627 on LinkedIn
    • @live627 on Twitter
    • livemods
Re: Possible spam vulnerability with 2.0 RC5
« Reply #9 on: November 19, 2011, 11:34:19 PM »
Or even for members if under a certain post count?
Try not to become a man of success, but rather try to become a man of value.
- Albert Einstein

Offline Aleksi "Lex" Kilpinen

  • Support Specialist
  • SMF Super Hero
  • *
  • Posts: 16,537
  • Gender: Male
  • Don't worry, I'm n00b friendly
    • Aleksi.Kilpinen on Facebook
    • aleksi-kilpinen on LinkedIn
Re: Possible spam vulnerability with 2.0 RC5
« Reply #10 on: November 20, 2011, 12:16:45 AM »
I would just tie it to the same setting with post verification. That would let the admin set the post count limits and all.
A Finnish Support Specialist
 Happily running multiple SMF 2.0 installations.

"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum.
 Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

Offline emanuele

  • SMF Super Hero
  • *******
  • Posts: 14,156
  • Gender: Male
  • THERE'S JUST ME
Re: Possible spam vulnerability with 2.0 RC5
« Reply #11 on: April 29, 2012, 05:05:52 PM »
Added a yesterday a permission for email users, so this should be fixed.


Take a peek at what I'm doing! ;D



Hai bisogno di supporto in Italiano?

Aiutateci ad aiutarvi: spiegate bene il vostro problema: no, "non funziona" non è una spiegazione!!
1) Cosa fai,
2) cosa ti aspetti,
3) cosa ottieni.