Hey folks...

We've been seeing an increased number of abuse reports and customer complaints regarding various issues that have been determined to have a root problem in one of the php scripts on their server being compromised and sending spam.

Many times these scripts have been found to have injection capabilities to make a submit form for example not only send mail to the one person specified, but also many others.

You can read more about this vulnerability at:
http://securephp.damonkohler.com/index.php/Email_Injection

The above URL has the issue pretty well documented and covers a potential solution. I'm going to summerize below and try to keep it in "english", so forgive me if it seems I'm being very basic with the explaination.

Essentially it would add a mod_security rule to filter out the ability to pass "bcc", "cc", and "to" phrases through the URL bar. It would keep someone from taking a mailer.php form and adding "extra" recipients to it.

The downside to this is if you have a script that posts information via URLs (such as http://mydomain.com/script/php?id=tommy or username=ccnnaa), this would be blocked.

mod_security by default would apply this to ALL domains. However, if you wanted one domain to not be protected by mod_security, you could add a directive to the domain's httpd.conf record:

<IfModule mod_security.c>
SecFilterEngine Off
</IfModule>

That would disable ALL mod_security protection for the domain, so be careful using that.

If anyone is interested in trying this out on their server, please feel free to open a support ticket and a tech would be happy to apply this for you. And of course you're welcome to give it a shot adding it yourself. Just open your mod_security.conf file (the location varies depending on your panel), add the extra line, save it, and restart Apache.

If you do try this, please post here with your expierences. I'm interested in knowing how well this would work possibly in a larger deployment, etc.

Would it block things such as the login on CMS's?

Hi,

good warning, it can happen to anyone :)
Small site, big site...
Here is a thread a made a long time ago here:
http://forums.deftechgroup.com/showthread.php?t=702

It's exactly what you are talking about. I stopped the attack just in time. The bot or spammer found that the script was vulnerable by doing a lot of tests, one of them worked. A mail was sent to a mail address, i believe it was the spammer email address. He needs to know if it worked ;)
Later, the same week, the contact script was bombed with requests... Happy that It wasn't vulnerable anymore ... :)

There's a lot of thread about that problem on cpanel forums... But most of them are full of "how can, what if" ... so it's a bit hard to read and find good infos... It seems to have two way to work with it. Exim rules... or mod_sec rules... Imo, i believe mod_sec rules is better.

For the part about mod_sec rules... I think it's better to only block bcc ( and cc if really needed ).
Blocking "to" is a bit too much... i think that would block so many scripts...
And from what i've read on cpanel forums and wht forums, most of these exploits use bcc...

Also, as far as i know, mod_sec rules isn't case-sensitive... :)
SecFilterSelective ARGS_VALUES ".*([Cc][Cc]|[Bb][Cc][Cc]|[Tt][Oo])[[:space:]]*\:.*\@"

... Also, as far as i know, mod_sec rules isn't case-sensitive... :)
SecFilterSelective ARGS_VALUES ".*([Cc][Cc]|[Bb][Cc][Cc]|[Tt][Oo])[[:space:]]*\:.*\@"Is not case sensitive means you don't need to filter for case sensitive rules. So bcc and cc will block all cases as in Roberts post. In fact just bcc in the rule will cover them all also.
SecFilter "bcc:"

I agree with your 'to' rule being somewhat over the top ;). It would pose too many issues in a hosting situation which often is not taken into consideration when security sites issue recomendations unless they specifically mention hosting boxes.

:)

It should not block logins to CMS or anything else generally. The only reason it might is if the script passes the information in a crappy way (IE via the URL bar) instead of through the headers.

Most scripts don't use the URL for passing authenticating data, because it can be recorded by the server you last visited (as the exit agent), because the data could be bookmarked and login passed around with never really entering a password via the website (say for example, someone looks in my history and sees http://www.domain.com/script.php?login=robert&pass=supersecure&date=today").

If someone would like to try adding a BCC block to the mod_security rules, let us know how testing goes. If you want us to set this up for you, just contact support and reference this thread.

writing support now......you have way too much free time on your hands. :P

writing support now......you have way too much free time on your hands. :P

Mmmh. I can fix that.

I set up bcc and cc filtering before i transferred over any of my accounts :)
I have lots of attempts to send emails via forms on several of my accounts, which is why i have it setup.

Whilst i can control the scripts that i write to not allow any injection attemps, some of my other users might not know how to do this.

Interesting thing to note about this, WHM doesn't show the logs for some reason. However, looking in the /var/log/httpd/audit_log file shows all of the attempts made.
Most of the attempts at the moment are trying to use wget or _vti_bin.

I can post some logs if anyone wants to have a look :)

David

BUt... i'm thinking about it now... and guys, we should block BCC in POST too... not only in the url parameters... For example, my experience with this bot/spammer was with a contact.php that use POST... it doesn't make any difference for the bot... it will use POST instead of GET...

Spent some time last week looking for a secure contact form script. DodosMail claims security against header injection -- good if you just want something that works and don't want to mess with any kind of server configs.

http://www.regretless.com/scripts/scripts.php#dodosmail

Free time? HA!!

Time is money and that ain't free. :)

hi again,

now, i think i understand better the params of mod_sec...
Here's the rules i wrote:
SecFilterSelective ARGS "bcc:" chain
SecFilter "[A-Z0-9._%-]+@[A-Z0-9._%-]+.[A-Z]{2,4},x20[A-Z0-9._%-]+@[A-Z0-9._%-]+.[A-Z]{2,4},x20[A-Z0-9._%-]+@[A-Z0-9._%-]+.[A-Z]{2,4}" "deny,log,status:406"

Will it work ?? The problem is i don't want to block one or two bcc... three is too much.

I also learned that ARGS will scan GET and POST ... :)

i think we could use it as a monitoring tool to be sure everything is fine:
SecFilterSelective ARGS "bcc:" chain
SecFilter "[A-Z0-9._%-]+@[A-Z0-9._%-]+.[A-Z]{2,4}" "allow,log"

or this could be a good thing if it works...
SecFilterSelective ARGS "bcc:" chain
SecFilter "[A-Z0-9._%-]+@[A-Z0-9._%-]+.[A-Z]{2,4}" "allow,log,exec:/some_script_path/warning_bcc.sh"

And in the warning_bcc.sh we mail the warning to the admin ... It would be a good way to know what's going on ... and be noticed as soon as possible of an attack...

Do you think it will work ?

Sorry for flooding this thread... :)
Here's the rule, that is *tested and working*:

SecFilterSelective ARGS "bcc:" chain
SecFilter "[A-Z0-9._%-]+@[A-Z0-9._%-]+\.[A-Z]{2,4}\,\x20[A-Z0-9._%-]+@[A-Z0-9._%-]+\.[A-Z]{2,4}\,\x20[A-Z0-9._%-]+@[A-Z0-9._%-]+\.[A-Z]{2,4}" "deny,log,status:406"


ARGS will scan GET and POST... bcc will catch BCC and bcC or every variant... mod_sec is case-insensitive... and 406 is for a "Not Acceptable" code... It blocks every BCC which have more than two mail address...

But I wonder if they write something like:
bcc: email@email.com
bcc: email2@email.com
bcc: email3@email.com
Will the mails be sent ? or mail headers accepts only one bcc line ?

Sorry again for the thread flooding :)