News:

Wondering if this will always be free?  See why free is better.

Main Menu

Possible spam vulnerability with 2.0 RC5

Started by vampi the frog, May 22, 2011, 11:25:41 AM

Previous topic - Next topic

vampi the frog

Hey guys. I've been running 2.0 for a while, and at some point I started receiving strange emails, which I later determined that are sent from the forum, possibly by some fak accounts. The forum is for a small gaming community, so suspicious accounts are immediately visible. Other users have reported the same type of messages in their inbox.

The emails were of the following form:
Quote
From: <random fake address> forum@ourwebsite
Subject: random characters

Some compliments with typos

where forum@ourwebsite is our legitimate forum do-not-reply address (at some point i changed it to forum to check if they're using the forum settings to send spam, and sure enough, they were. That meant they were using some script in the code. I have replaced our website's address with ourwebsite in the following pastes:


To: [email protected]
Subject: FgMBhtqoPqhdSeTh
From: "[email protected]" <forum@ourwebsite>
Reply-To: <[email protected]>
Date: Sun, 24 Apr 2011 14:10:34 -0000
X-Mailer: SMF
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="SMF-f35955c1b47d312d682523c41251c0e6"
Content-Transfer-Encoding: 7bit
Message-Id: <[email protected]>

That's the best aswner of all time! JMHO
--SMF-f35955c1b47d312d682523c41251c0e6
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

That's the best aswner of all time! JMHO
--SMF-f35955c1b47d312d682523c41251c0e6--


So I figured I should log these emails and I found the sendmail() file in Sources/Subs-Post.php, and I added some logging functionality. I later added the return false if the y_email field is set (this is my simple solution):


// Send off an email.
// Send off an email.
function sendmail($to, $subject, $message, $from = null, $message_id = null, $send_html = false, $priority = 3, $hotmail_fix =
null, $is_private = false)
{
        $f = fopen("mail-log.txt", "a");
        fprintf($f, "sendmail -> to=$to, subject=$subject, message=$message, from=$from, message_id=$message_id, priority=$priority, hotmail_fix=$hotmail_fix, is_private=$is_private\n");
        fprintf($f, '$_SERVER='.var_export($_SERVER, true));
        fprintf($f, "\n");
        fprintf($f, '$_POST='.var_export($_POST, true)."\n");
        fprintf($f, '$_SESSION='.var_export($_SESSION, true)."\n");
        fprintf($f, "backtrace=".var_export(debug_backtrace(), true)."\n");
        if(isset($_POST['y_email'])) {
          fprintf($f, "Caught spammer!\n");
          fclose($f);
          return false;
        }
        fclose($f);

        .
        .
        .
        rest of code


Here is what that logged for the example email above:


sendmail -> [email protected], subject=FgMBhtqoPqhdSeTh, message=That's the best aswner of all time! JMHO, from=n
[email protected], message_id=, priority=1, hotmail_fix=, is_private=1
$_SERVER=array (
  'HTTP_USER_AGENT' => 'Mozilla/5.0 (Windows NT 5.1; U; en) Opera 8.01',
  'HTTP_ACCEPT' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
  'HTTP_HOST' => 'ourwebsite',
  'HTTP_REFERER' => 'http://ourwebsite/forum/index.php?PHPSESSID=049518482f96814dc01dd8fef1df4fd1&action=emailuser;sa=ema
il;msg=1490',
  'CONTENT_LENGTH' => '190',
  'CONTENT_TYPE' => 'application/x-www-form-urlencoded',
  'HTTP_COOKIE' => 'PHPSESSID=049518482f96814dc01dd8fef1df4fd1',
  'HTTP_VIA' => '1.1 www.blucomputadores.com.br:3128 (squid/2.6.STABLE21)',
  'HTTP_CACHE_CONTROL' => 'max-age=259200',
  'HTTP_CONNECTION' => 'keep-alive',
  'PATH' => '/usr/local/bin:/usr/bin:/bin',
  'SERVER_SIGNATURE' => '<address>Apache/2.2.16 (Debian) Server at ourwebsite Port 80</address>
',
  'SERVER_SOFTWARE' => 'Apache/2.2.16 (Debian)',
  'SERVER_NAME' => 'ourwebsite',
  'SERVER_ADDR' => '192.168.2.120',
  'SERVER_PORT' => '80',
  'REMOTE_ADDR' => '187.112.244.124',
  'DOCUMENT_ROOT' => '/var/www/ourwebsite,
  'SERVER_ADMIN' => 'webmaster@localhost',
  'SCRIPT_FILENAME' => '/var/www/ourwebsite/forum/index.php',
  'REMOTE_PORT' => '41108',
  'GATEWAY_INTERFACE' => 'CGI/1.1',
  'SERVER_PROTOCOL' => 'HTTP/1.0',
  'REQUEST_METHOD' => 'POST',
  'QUERY_STRING' => 'action=emailuser;sa=email',
  'REQUEST_URI' => '/forum/index.php?action=emailuser;sa=email',
  'SCRIPT_NAME' => '/forum/index.php',
  'PHP_SELF' => '/forum/index.php',
  'REQUEST_TIME' => 1303654234,
  'argv' =>
  array (
    0 => 'action=emailuser;sa=email',
  ),
  'argc' => 1,
  'BAN_CHECK_IP' => '187.112.244.124',
  'REQUEST_URL' => 'http://ourwebsite/forum/index.php?action=emailuser;sa=email',
)
$_POST=array (
  'y_name' => 'Leatrix',
  'y_email' => '[email protected]',
  'email_subject' => 'FgMBhtqoPqhdSeTh',
  'email_body' => 'That\'s the best aswner of all time! JMHO',
  'send' => 'Send',
  'msg' => '1490',
  'a59c5d5d9' => 'dba94240db290d46ce7ce0b2052163f6',
)
$_SESSION=array (
  'session_value' => 'dba94240db290d46ce7ce0b2052163f6',
  'session_var' => 'a59c5d5d9',
  'mc' =>
  array (
    'time' => 1303654195,
    'id' => 0,
    'gq' => '0=1',
    'bq' => '0=1',
    'ap' =>
    array (
    ),
    'mb' =>
    array (
    ),
    'mq' => '0=1',
  ),
  'ban' =>
  array (
    'last_checked' => 1303654195,
    'id_member' => 0,
    'ip' => '187.112.244.124',
    'ip2' => '187.112.244.124',
    'email' => '',
  ),
  'log_time' => 1303654233,
  'timeOnlineUpdated' => 1303654196,
  'last_read_topic' => 278,
  'old_url' => 'http://ourwebsite/forum/index.php?PHPSESSID=049518482f96814dc01dd8fef1df4fd1&action=emailuser;sa=email;ms
g=1490',
  'USER_AGENT' => 'Mozilla/5.0 (Windows NT 5.1; U; en) Opera 8.01',
  'register_vv' =>
  array (
    'count' => 1,
    'errors' => 0,
    'did_pass' => false,
    'q' =>
    array (
    ),
    'code' => 'CXWTTR',
  ),
)
backtrace=array (
  0 =>
  array (
    'file' => '/var/www/ourwebsite/forum/Sources/SendTopic.php',
    'line' => 287,
    'function' => 'sendmail',
    'args' =>
    array (
      0 => '[email protected]',
      1 => 'FgMBhtqoPqhdSeTh',
      2 => 'That\'s the best aswner of all time! JMHO',
      3 => '[email protected]',
      4 => NULL,
      5 => false,
      6 => 1,
      7 => NULL,
      8 => true,
    ),
  ),
  1 =>
  array (
    'file' => '/var/www/ourwebsite/forum/Sources/SendTopic.php',
    'line' => 78,
    'function' => 'CustomEmail',
    'args' =>
    array (
    ),
  ),
  2 =>
  array (
    'function' => 'EmailUser',
    'args' =>
    array (
    ),
  ),
  3 =>
  array (
    'file' => '/var/www/ourwebsite/forum/index.php',
    'line' => 162,
    'function' => 'call_user_func',
    'args' =>
    array (
      0 => 'EmailUser',
    ),
  ),
)




I haven't received any of these in a while, so I haven't been able to see if my fix works. But you guys probably know better about the y_email and y_name fields in $_POST, and what their purpose is.

So yeah that's my bug report :)

vampi the frog

I also need to mention they weren't from the same IP.

emanuele

Probably you have the "Send topics to friends" permission enabled for guests, and then guests (and spammers too I can assume) can send emails to everybody.


Take a peek at what I'm doing! ;D




Hai bisogno di supporto in Italiano?

Aiutateci ad aiutarvi: spiegate bene il vostro problema: no, "non funziona" non è una spiegazione!!
1) Cosa fai,
2) cosa ti aspetti,
3) cosa ottieni.

emanuele

Sorry, I misunderstood your point here, of course it's a potential source of spam.

I submitted a mod to introduce the visual verification, if you would like to test it feel free to send me a PM. :)


Take a peek at what I'm doing! ;D




Hai bisogno di supporto in Italiano?

Aiutateci ad aiutarvi: spiegate bene il vostro problema: no, "non funziona" non è una spiegazione!!
1) Cosa fai,
2) cosa ti aspetti,
3) cosa ottieni.

Aleksi "Lex" Kilpinen

The actual E-mail a member function of SMF 2.0 would sound like the cause -
The url "'http://ourwebsite/forum/index.php?action=emailuser;sa=email'" is exactly for that function.
( The envelope image below people's profiles in topic view that leads to an e-mail form ;) )

The form can be used to send e-mail directly to a user, using the forum's e-mail address, and masking it as your own (the one in your profile).

So, Check your permissions - thoroughly!
Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

Illori

you can also turn off email addresses visible to guests in the admin panel
admin -> security and moderation uncheck allow viewable email addresses and check do not reveal contact details of members to guests

Illori


emanuele

Quote from: Aleksi "Lex" Kilpinen on May 25, 2011, 05:59:37 AM
The actual E-mail a member function of SMF 2.0 would sound like the cause -
The url "'http://ourwebsite/forum/index.php?action=emailuser;sa=email'" is exactly for that function.
You are indeed right!

But maybe we should put a captcha there too...for guests of course.


Take a peek at what I'm doing! ;D




Hai bisogno di supporto in Italiano?

Aiutateci ad aiutarvi: spiegate bene il vostro problema: no, "non funziona" non è una spiegazione!!
1) Cosa fai,
2) cosa ti aspetti,
3) cosa ottieni.

Aleksi "Lex" Kilpinen

That would be logical, if it can be allowed for guests, then at least make sure guests need some verification.
Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

live627

Or even for members if under a certain post count?

Aleksi "Lex" Kilpinen

I would just tie it to the same setting with post verification. That would let the admin set the post count limits and all.
Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

emanuele

Added a yesterday a permission for email users, so this should be fixed.


Take a peek at what I'm doing! ;D




Hai bisogno di supporto in Italiano?

Aiutateci ad aiutarvi: spiegate bene il vostro problema: no, "non funziona" non è una spiegazione!!
1) Cosa fai,
2) cosa ti aspetti,
3) cosa ottieni.

Advertisement: