There was an attempt to do a spam exploit on the Feedback module.

Contact needs to be checked for similar weaknesses.

Here are the details:
http://drupal.org/node/29927

Comments

dries’s picture

dries commented

The contact module checks the recipient's address using valid_email_address(). Would that be enough, or can they exploit the other form fields?

killes@www.drop.org’s picture

killes@www.drop.org commented

All form fields can potentially be exploited.

kbahey’s picture

kbahey commented

The exploit relies on putting a newline, followed by a To:, Cc: or Bcc:

They do a Cc: to a certain address, which gathers info on where the exploits are, possibly for mass spam mailings later.

The solution for feedback was to issue a cryptic error (invalid data in field X) for possible exploits in any field.

It is a bit overzealous in that it does not check for a newline, but this is a sure way to prevent it, no matter what tricks they do.

Perhaps this should go into killes' mail.inc, and can be used to validate any data that is to be emailed. This way anyone using the common mail backend will get that validation for free?

The function that checks for that is like this:

function feedback_check_exploit($data) {
  $bad_strings = array (
    'To:',
    'Cc:',
    'Bcc:',
    'Content-Type:',
    'MIME-Version:',
    'Content-Transfer-Encoding:');

  foreach($bad_strings as $str) {
    if (stristr($data, $str)) {
      return true;
    }
  }
  return false;
}
killes@www.drop.org’s picture

killes@www.drop.org commented
Priority: Normal » Critical

We need to investigate if this is still an issue. I am afraid it is. My mail.inc would have dealt with it, but since this did not make core, we need to find a solution for 4.7.

killes@www.drop.org’s picture

killes@www.drop.org commented
Status: Active » Closed (duplicate)

marking a duplicate of http://drupal.org/node/34002