back to article Hate 'contact us' forms? This PHPmailer zero day will drop shell in sender

Websites using PHPMailer for forms are at risk from a critical-rated remote code execution zero day bug. Legal Hackers researcher Dawid Golunski found the vulnerability (CVE-2016-10074) in the much-used library, found in the world's most popular content management systems and addons. The bug also affects the Zend Mailer and …

  1. Anonymous Coward
    Trollface

    People !

    Shouldn't try to contact me anyway.

  2. Anonymous Coward
    Stop

    Dear BBC....

    why oh why do the makers of these sort of videos insist on ramming their choice of **** music upon us.

    Yours, Mr Angry

  3. Doctor_Wibble
    Facepalm

    Bobby Tables

    Nuff said.

  4. philthane

    (Don't) Contact Us Forms

    More and more companies have removed email addresses and phone numbers from their websites leaving either forms or 'live chat' with a operative who has no clue about the thing that interests you. About 50% of the forms I fill in are never answered, and most of those that are provide the wrong information, or promise to call me but don't. I suspect in most offices the latest intern is given the job of dealing with the forms on a friday afternoon when no-one else can think of anything for him/her to do. I hope all their damn forms are plagued by malware and disappear for good.

    1. Dan 55 Silver badge
      Flame

      Re: (Don't) Contact Us Forms

      Well you could always broadcast your problem to all and sundry with Twitter or Facebook. You will then be told to take it to direct messaging.

      Why not just answer the damn email in the first place?

      1. Anonymous Coward
        Facepalm

        Re: (Don't) Contact Us Forms

        They want the forms, but they still need an email when someone submits a form, for lack of a better notification protocol. Instead of one flaky mailserver, now they have two or three flaky systems. When any one of them breaks down, you're talking to a brick wall.

        I don't have any brilliant ideas. Email, phones, contact forms, chat boxes, social media - they're all extremely dodgy. Best way to reach someone now is to knock on their door if they're nearby, and if not.... good luck.

        Progress, we've heard of it.

        1. Anonymous Coward
          Anonymous Coward

          Re: (Don't) Contact Us Forms

          They want the forms, but they still need an email when someone submits a form, for lack of a better notification protocol. Instead of one flaky mailserver, now they have two or three flaky systems. When any one of them breaks down, you're talking to a brick wall.

          My contact form punts any submissions (received in https format) straight over to the mail server on the same LAN. It doesn't leave a trace on the web server, and the mail server has quite a few tricks up its sleeve to fight off the usual idiots trying to breach it so they can use it as a spam relay (some attempts of Chinese origin got so persistent we got it blocked at ISP level).

          To make things worse for attackers, all of it runs on FreeBSD with a lot of standard ports like 22 (SSH) set up for tarpitting, because it makes a total mess of any attempt to run nmap on the publicly exposed IP addresses. I rather like being annoying :).

      2. Anonymous Coward
        Anonymous Coward

        Re: (Don't) Contact Us Forms

        Well you could always broadcast your problem to all and sundry with Twitter or Facebook. You will then be told to take it to direct messaging.

        .. and it would force you to sign up to the most harmful T&Cs on this planet. I tend to bounce it off consumer associations - that too makes it public but also amps the pressure to fix it as these organisations tend to report the events as they unfold (and if they don't help there's no point being a member - either way saves money :) ).

  5. AndGregor
    Coat

    Small Business

    Contact forms are still a very good and valid facility for local businesses, they actually want you to contact them. Something bigger companies could learn from. Mine's the one with SmtpClient in the pocket.

    1. Doctor Syntax Silver badge

      Re: Small Business

      "Contact forms are still a very good and valid facility for local businesses"

      Particularly those that include a number for a phone that's answered by someone who knows what they're talking about.

      1. Version 1.0 Silver badge

        Re: Small Business

        Post your phone number as a business and you will find that 90% of your calls are to let you know that your credit card processing rates have changed, your insurance coverage has increased, has decreased, their representatives are in your area with a offer for one day only, new booking rates have become available for hotels, new health insurance is available, your credit card company rates have increased, your credit card processing rates have changed, your insurance coverage has increased, has decreased, their representatives are in your area with a offer for one day only, new booking rates have become available for hotels, new health insurance is available, your credit card company rates have increased, your credit card processing rates have changed, your insurance coverage has increased, has decreased, their representatives are in your area with a offer for one day only, new booking rates have become available for hotels, new health insurance is available, your credit card company rates have increased, your credit card processing rates have changed, your insurance coverage has increased, has decreased, their representatives are in your area with a offer for one day only, new booking rates have become available for hotels, new health insurance is available, your credit card company rates have increased, your credit card processing rates have changed, your insurance coverage has increased, has decreased, their representatives are in your area with a offer for one day only, new booking rates have become available for hotels, new health insurance is available, your credit card company rates have increased, etc., etc.

        That's why we have bot's answering the phone.

        1. Anonymous Coward
          Anonymous Coward

          Re: Small Business

          Post your phone number as a business and you will find that 90% of your calls are to let you know that your credit card processing rates have changed [..]

          I found that a message that all calls are recorded seems to reduce the number of sales calls, probably because such is illegal in my country. However, the sh*ts have come up with a different ruse there: they now call from abroad. We're toying with a couple of creative ideas, but that'll have to wait until March or so - too much to do right now.

          1. Anonymous Coward
            Anonymous Coward

            Re: Small Business

            Yes, my wife made the mistake of posting my number on a FB post for people to enquire and I spent a long time fending off calls from energy suppliers. Obviously they have bots that look for any clues that businesses have changed hands.

            It's pretty annoying when you post a number for people to contact you if they want to buy your goods and services and it is swamped by people trying to sell you stuff. Although I have dealt with cold-calls to the landline by having a answering machine with a VIP function (i.e. you enter a code to skip the message and ring the phone) I'm still wondering how to stop a sales enquiry line being abused by such people. What I'd really like to do is create a fake queue....

            *rings*

            Me: "hello, Sales department"

            He: "Hello, I'm calling from EDF energy"

            Me: "Oh hi, I'll transfer you to purchasing"

            *music*

            Bot: "Please continue to hold. You are number ... FOUR ... in the queue"

            *music*

            Bot: "Please continue to hold. You are number ... THREE ... in the queue"

            *music*

            Bot: "Please continue to hold. You are number ... TWO ... in the queue"

            *music*

            Bot: "Please continue to hold. You are number ... ONE ... in the queue"

            *music*

            *click*

            Or would a very rude message be better?

            1. Version 1.0 Silver badge

              Re: Small Business

              Just for my own amusement (I'm in the southern USA) I put on my Burnistoun hat when I get fed up with these people, "Och ye wee bassar, w yu cullin fur, yu cull meh gain un isle slam meh bi dilo dun yer froght"

              Frankly it doesn't help but it does lighten my mood.

            2. Doctor Syntax Silver badge

              Re: Small Business

              Bot: "Please continue to hold. You are number ... FOUR ... in the queue"

              *music*

              Bot: "Please continue to hold. You are number ... FIVE ... in the queue"

              FTFY

            3. Anonymous Coward
              Anonymous Coward

              Re: Small Business

              Or would a very rude message be better?

              It depends on what you want to achieve. If you don't want them to call back, a polite message message "we don't buy from call centres, but if you are happy to further waste your time, please press # to be put back in the queue" will probably do. If you want to spend a few moments routing them back into that queue you'll abort it mid sentence "Hello, this is the purchasing department, how <click>" so it sounds like they got through to someone and then lost the call. The uncertainty and the need for a hit is certain to get them back on the phone a second time - they will only realise what is going on when it aborts in the same place the next time.

              All of the above only takes a pre-recorded message anyway so you can pretty much do what you want - and thanks for giving me an extra idea for our voice select system :).

          2. Inachu

            Re: Small Business

            I keep getting sales calls from a robo call using the voice of some old lady speaking in the familiar tone saying ,"Why! Hello there!" I never say anything then the robo call ends.

  6. Blitheringeejit
    Holmes

    Not sure the article is accurate...

    The article seems to imply that this can only be exploited if the form provides a Sender address field (which would be unusual on a contact form), but the proof of concept shows the exploit being crafted into the destination email address on the contact form.

    Which is why incoming form data should ALWAYS be sanitised and validated before doing anything with it! Any decently coded form handler wouldn't fall victim to this, AFAICS.

    1. Anonymous Coward
      Anonymous Coward

      Re: Not sure the article is accurate...

      Which is why incoming form data should ALWAYS be sanitised and validated before doing anything with it! Any decently coded form handler wouldn't fall victim to this, AFAICS.

      That's why we use a generic Open Source CMS. Those tend to get better over time due to volume exposure, whereas a home brew CMS would probably have more weaknesses because we're not really security experts. In general we tend to stick to Joomla plus some extra tricks (MySQL server only talks to local IPs, for instance).

      1. Anonymous Coward
        Anonymous Coward

        Re: Not sure the article is accurate...

        Re: "That's why we use a generic Open Source CMS. Those tend to get better over time due to volume exposure, whereas a home brew CMS would probably have more weaknesses because we're not really security experts."

        BULL EXCREMENT.

        Look at Joomla. Look at how many of their vulnerabilities have been, and continue to be, due to poor input validation.

        Input Validation is "Security for Dummies 101".

      2. Blitheringeejit

        Re: Not sure the article is accurate...

        So is writing your own web applications is now called "homebrew CMS"?

        I guess code does manage content, but I prefer to avoid generalised frameworks, which is what I understand by the term "CMS". Libraries are different - eg in this case, where a generic CMS might have a vulnerability to this exploit buried somewhere in thousands of lines of other peoples' code, whereas the PHPMailer library itself is easy to protect with simple validation. I use PHPMailer, but wouldn't dream of passing it any un-validated or un-sanitised user data.

        1. Anonymous Coward
          Anonymous Coward

          Re: Not sure the article is accurate...

          So is writing your own web applications is now called "homebrew CMS"?

          Oh dear, did I stir up the Outragists? I was merely illustrating that our guys mainly write code to be used inhouse, and are intelligent enough to know they don't (yet) have the expertise to write code that can handle being exposed to the Big Bad Internet, which is why we opted for Joomla with full support from the IT team - it appears we managed to find people who think with their heads instead of with their ego which means I have to make sure I hang on to them :).

          Is Joomla perfect? Well, no, but show me any platform that is and you can throw the first stone. What IS certain is that any CMS cooked up by our inhouse coders would be certain to be more vulnerable than Joomla, and would thus not only cause an operational risk but also a massive drain on our resources getting it up to standard and keeping it running. It was far more intelligent and efficient to get clued up on Joomla so that they could get on with what pays the bills.

          By way of illustration, I used to work for a company that used the downtime of its coders to develop their own CMS. They blew the equivalent of £100k of internal billable hours (that a LOT less than what they would have earned on customer work) on getting to v1, and that was just the software. For that money I could have paid someone to set up Joomla, have a corporate template developed and licensed 10 years worth of some extra plugins to make life easy and I would still have had enough money to throw a decent party. But, of course, I suspect that would have exposed that division as being substantially under par on utilisation so they hid that with this exercise..

    2. Marcus Bointon

      Re: Not sure the article is accurate...

      Just a little late follow-up - I'm the maintainer of PHPMailer. Actually it would. PHPMailer validates all address it uses automatically - The problem was that the attack string can be a fully valid email address - that's why it got through and why it affected other email libs too. What's safe and valid in an email address isn't necessarily safe in a shell command *even if you escape it*. The exploit example is contrived, but if you don't set a Sender address explicitly it uses the from address, which is normal MUA behaviour (e.g. both Outlook and Apple Mail do it).

      In order to fall victim to this you had to be using the mail() function for sending (PHPMailer's default behaviour, rather than its SMTP client, which is both faster and more flexible), using the form submitter's email address as the from address (which all the PHPMailer docs and examples tell you not to do, because it's forgery and will cause SPF failures), and not set an explicit envelope sender address.

      While I'm sure the PHP critics will say their usual, the same problems were also found in ruby, python, and nodejs mail libraries.

  7. Anonymous Coward
    Anonymous Coward

    Companies ripping you off do not want you to contact them

    Companies do not want you to contact them, do not want a record of your concerns, do not want you to ask why your country is allowing a foreign owned or operated industry access to your market. Best for them to have you lost in an automated phone answering system.

    1. Anonymous Coward
      Anonymous Coward

      Re: Companies ripping you off do not want you to contact them

      Companies do not want you to contact them, do not want a record of your concerns, do not want you to ask why your country is allowing a foreign owned or operated industry access to your market. Best for them to have you lost in an automated phone answering system.

      That's what you get when you believe the illusion of "free" service. The longer I watch those scams*, the more I'm starting to think that the contempt they treat their users with is justified (to a degree). You get what you pay for - if you don't like being mistreated, change who you deal with. Whinging in public just makes those companies laugh while you self-identify as a loser*.

      * Yes, I know that's harsh, but my New Year's resolution is cutting the bullshit and ripping out any sort of euphemism inflicted upon us.

      1. This post has been deleted by its author

  8. Inachu

    Remember when putting a "." at the end let people traverse hidden folders on a website?

    Those were the days!

    1. Anonymous Coward
      Anonymous Coward

      Ah yes. I can remember telling people on IRC who posted stuff like "TEACH ME TO HACK" to flood 127.0.0.1 and see them drop offline. Those were the days indeed.

  9. This post has been deleted by its author

    1. andy 103

      Re: Am I just having a bad day

      The article - and most of the comments - are not actually addressing where the exact issue lies. If you go to https://github.com/PHPMailer/PHPMailer and search for addReplyTo I believe the issue is using un-sanitised POST (or form) data there. Not sure exactly how it works but it looks as though you can pass a malicious string to it and then it does its dirty work.

      But then of course why would anyone be passing un-sanitised user form input to *any* PHP function??

      Please clarify if you know better because I - and I guess many others - use this.

      1. Anonymous Coward
        Joke

        Re: Am I just having a bad day

        The issue is how to properly sanitize e-mail addresses. I'm quite sure it often goes this way:

        1) Webby Lamedev writes a sanitizing function without actually having a clue about valid email address formats (reading RFCs is boring), or just copy one he found on StackOverflow (accepted and most upvoted by Webby Lamedev colleagues, but clearly incomplete. Just a little below there's the complete and correct answer, but is more complex to implement).

        2) B. G. Boss calls because customer reports issue they can't use the contact form because their email addresses aren't accepted (I found many, for example, that don't accept plus addressing. Worse, some forms may accept it for registering to a site, and then don't work for logins, others don't escape the + when putting the email addresses in URLs, which is bad enough itself)

        3) Webby Lamedev furiously searches the web, tries to read the RFC, gives up, then removes the sanitizing code because he couldn't find what he was looking for. After all, what could happen?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like