Secure Feedback & Recommend Us Modules

registered · Posted: Mon Dec 19, 2005 7:51 am

I've been playing around with the PHP-Nuke Feedback and Recommend Us modules for the last couple of weeks. LoL! Yeah, I know -- real exciting stuff... Dance-Stick

The reason I got involved with this is because of a recent rash of pesky PHP mailheader injections in all sorts of web apps. Basically, spammers are using the mail forms on various web site programs to send out spam, e.g. sending out their spam using your mail forms.

I haven't really heard of this happening on PHP-Nuke sites, but you can't be too careful, you know? Why risk the chance of having your web host suspend your account for spamming, et cetra?

The Feedback module wasn't too bad to work with. I added a subject field, while I was at it -- which always bugged me (that is, the lack thereof). The Recommend Us module was total garbage! I ended gutting it and using the modified Feedback module as a template.

If you want to take 'em for a spin...

Feedback: http://www.lenon.com/modules.php?name=Feedback

Recommend Us: http://www.lenon.com/modules.php?name=Recommend_Us

The email addies are now validated for compliance with RFC2822 guidelines, checked for 'bad input', such as 'Content-Type:', 'bcc:','to:','cc:', html tags, yada, yada, yada...

Anybody interested in this sort of stuff? If so, I'll work up a distro. I haven't tried them with anything other than 6.5, but they should be a drop-in for most versions...

registered · Posted: Mon Dec 19, 2005 8:21 am

VinDSL, security is ALWAYS a good thing. I'd be interested. I wonder if Raven would be interested in swapping out the core nuke modules with these in his RavenNuke76?

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

Vin, I would be VERY interested in including these in my RavenNuke76. Let me know your thoughts on that and when I can have them Wink

Posted: Mon Dec 19, 2005 10:01 am

Both those area's have always been something of a concern for me so, anything that can increase security in those area's is definitely a good thing.

Posted: Mon Dec 19, 2005 10:51 am

Guardian2003 wrote:

Both those area's have always been something of a concern for me so, anything that can increase security in those area's is definitely a good thing.

Yeah, I get from time-to-time on one of my domains a spam feedback and I keep tracking down the IP addresses and blocking them. Haven't seen one in awhile so maybe I finally "caught" the bugger... Smile

Posted: Mon Dec 19, 2005 9:35 pm

Cool!

I'm too tired to work up a distro tonight. I've been up for 29 hours, as we 'speak', but I ZIPed the index files and put them in my FTP area. Take a look, and see what you think. I patched the email validator, when I got home from work, so it's catching more addies than it was earlier today... Wink

(update below)

Posted: Mon Dec 19, 2005 11:37 pm

Got them. Are they ready for prime time?

registered · Posted: Tue Dec 20, 2005 12:40 pm

We were going to add the gfx code to them in Evo to help stem that. Might want to ponder that.

Posted: Tue Dec 20, 2005 1:41 pm

Raven wrote:

Got them. Are they ready for prime time?

Well... I've been playing around with them for a couple of weeks. I've done a lot of (casual) research on email injections, trying to figure out how spammers are 'bouncing' mails off PHP mail forms and studying the countermeasures that ppl are employing. There is a LOT of information about email injections on the web because everyone is basically using the same code -- regardless of the app. I finally got these modules to the point where I'm happy enough with the results to offer them up for public prevue.

You were asking, in another thread, what ppl would like to see in future releases of RavenNuke76. My suggestion was adding security measures to the Feedback & Recommend Us forms.

LoL! Then I started thinking... I'm still running PHP-Nuke 6.5 Final... So, I decided to 'roll my own', so to speak.

Personally, I'm confident enough to run them as-is on my production site. So, yes, I would say they're ready for prime time. However, I'm sure that I will add more to them, such as the 'gfx code' technocrat mentioned above. I think that's an excellent idea!!! And, that's exactly the kind of comment[s] I was soliciting!

Put another way, I would say they're ready for prime time, but not a finished product, as with all things Nuke... Smile

Posted: Tue Dec 20, 2005 1:41 pm

technocrat wrote:

We were going to add the gfx code to them in Evo to help stem that. Might want to ponder that.

Yes! Excellent idea! Thanks! Wink

Posted: Tue Dec 20, 2005 1:49 pm

NP, that's why I am here Smile

Posted: Tue Dec 20, 2005 10:34 pm

Here's a 'nightly' for you, if you will... Wink

ftp://ftp.lenon.com/modules-Secure_Feedback_Recommend_Us_DSL_1.0.8.zip

I cleaned up the code, turned the forms into a function, '\n' & \r' are now detected with magic quotes enabled, and made it so bad input is wiped from the field[s] on refresh, et cetera...

Edit: I've spent an hour throwing everything I could think of at these modules, Raven, and they just flat work. With the exception of doing a graphic check in the future, I think it's a wrap.

The only thing I'm worried about, doing the gfx_check thing, is creating some sort of incompatibility between different versions of Nuke. Maybe the best way would be to do a proprietary check, like a subset of Fetch, or whatever. Hrm... gonna have to think about that for a while!

Anyway, I think the holes are plugged in Feedback & Recommend Us. Heh! A (non-Nuker) buddy of mine has been trying to bust them all day, and he's a pretty smart, albeit devious, cookie!

Posted: Wed Dec 21, 2005 9:10 am

You could check for the functions, if not there do it yourself. Even a simple random alphanumeric string with no gfx should slow them down some.

Here is final sinpet of the email validation regex you might find useful

Code:

    define('REGEXP_EMAIL_QTEXT', '[^\\x0d\\x22\\x5c\\x80-\\xff]');


    define('REGEXP_EMAIL_DTEXT', '[^\\x0d\\x5b-\\x5d\\x80-\\xff]');


    define('REGEXP_EMAIL_ATOM', '[^\\x00-\\x20\\x22\\x28\\x29\\x2c\\x2e\\x3a-\\x3c'.'\\x3e\\x40\\x5b-\\x5d\\x7f-\\xff]+');


    define('REGEXP_EMAIL_QUOTED_PAIR', '\\x5c[\\x00-\\x7f]');


    define('REGEXP_EMAIL_DOMAIN_LITERAL', "\\x5b(".REGEXP_EMAIL_DTEXT."|".REGEXP_EMAIL_QUOTED_PAIR.")*\\x5d");


    define('REGEXP_EMAIL_QUOTED_STRING',  "\\x22(".REGEXP_EMAIL_QTEXT."|".REGEXP_EMAIL_QUOTED_PAIR.")*\\x22");


    define('REGEXP_EMAIL_SUBDOMAIN', "(".REGEXP_EMAIL_ATOM."|".REGEXP_EMAIL_DOMAIN_LITERAL.")");


    define('REGEXP_EMAIL_WORD', "(".REGEXP_EMAIL_ATOM."|".REGEXP_EMAIL_QUOTED_STRING.")");


    define('REGEXP_EMAIL_DOMAIN', REGEXP_EMAIL_SUBDOMAIN."(\\x2e".REGEXP_EMAIL_SUBDOMAIN.")*");


    define('REGEXP_EMAIL_LOCAL_PART', REGEXP_EMAIL_WORD."(\\x2e".REGEXP_EMAIL_WORD.")*");


    define('REGEXP_EMAIL', "!^".REGEXP_EMAIL_LOCAL_PART."\\x40".REGEXP_EMAIL_DOMAIN."$!");





if(!preg_match(REGEXP_EMAIL,$email)) {


  die();


}

It will validate all email addresses against RFC822 standards

Posted: Wed Dec 21, 2005 9:39 am

Can we get this resolved quickly guys? I really want to include this stuff in v2.0.0 of RavenNuke76. Thanks!