[nycphp-talk] worm/virus's hammering feedback scripts? POLISHED VERSION
csnyder
chsnyder at gmail.com
Tue Sep 13 10:43:18 EDT 2005
On 9/12/05, Ken Robinson <kenrbnsn at rbnsn.com> wrote:
> At 12:15 PM 9/12/2005, Michael Southwell wrote:
> >I polished this up a bit.
> >
> >IMPORTANT: Ken's original function did not work in my testing,
> >because (1) the \ in \r and \n needed to be escaped, and (2) he had
> >the letter O instead of the numeral 0 in the hex numbers. Somebody
> >smarter than I am, please check carefully the modified version included below.
>
> I'm curious as to why you think that the \ in \r and \n need to be
> escaped? I am really searching for and removing "\n" and "\r"
> characters in the string. In my tests this has worked and prevented
> the spam tests from getting out. The spambots are still hitting the
> one site I've made the modifications on. Their not hitting any of my
> other sites (yet) and I have been working on getting the fix into them.
>
> BTW, I've noticed that they putting their malicious code in any
> and/or all of the posted variables including "submit".
>
> Another attempt I've seen was where the referer was a file I don't
> have. That one was easy to stop.
>
I'm curious as to why we wouldn't just bail out and refuse to send the
email at all if someone posted input with CR or LF in it?
Seems to me that if you have a form with <input type="text"
name="from" /> and you get a multiline $_POST['from'], then somebody
is trying to get away with something.
While not necessarily the case here, sometimes taking out something
bad will create a situation where you're left with something worse.
Sometimes it's better to be conservative and disallow input rather
than try to sanitize it.
--
Chris Snyder
http://chxo.com/
More information about the talk
mailing list