Web Spamming in nashruddin.com » Case Study #1

•  Printer friendly

Several weeks ago, this blog was hacked by a mad (but smart) guy. He injected javascript code to my post comments that displayed ugly messages when the page is loaded. It didn't harm my data at all, but still that was something you don't want to see in your site!

My mistake was I didn't validate the incoming data at all. All data was immediately inserted to the database, with no check whether it contains illegal code or something not usual. To make things worse, the new inserted comment was immediately displayed in the page.

The form and the PHP code look like this:

<?php
if ($_SERVER['REQUEST_METHOD'] == "POST") {
    /* DANGEROUS! NO CHECKING AT ALL!!! */
    $name    = $_POST['name'];
    $email   = $_POST['email'];
    $website = $_POST['website'];
    $comment = $_POST['comment'];
    
    $sql = "insert into comments "
         . "values ('$name', '$email', '$website', '$comment')";
    $result = $db->query($sql);
}
?>
<form action="<?=__FILE__?>" method="post">
Name:    <input type="text" name="name"><br>
Email:   <input type="text" name="email"><br>
Website: <input type="text" name="website"><br>
Comment: <textarea name="comment"></textarea><br>
<input type="submit">
</form>

This guy added his comment like this:

Name   : FisherSQ7@w.cn
Email  : sq7@w.cn
Website: http://w.cn
Comment: <script>alert("Hacked By Fisher762")</script> Go To hell


With my PHP script above, the SQL string would be:

insert into comments
values(
  'FisherSQ7@w.cn',
  'sq7@w.cn',
  'http://w.cn',
  '<script>alert("Hacked By Fisher762")</script>Go To hell'
);

which then inserted to the database successfully with no error. The problem arise when the comment is loaded. The HTML:

Before:
<div class="comment">
 <p><a href="<?=$website?>"><?=$name?></a></p>
 <p><?=$comment?></p>
</div>

After:
<div class="comment">
 <p><a href="http://w.cn">FisherSQ7@w.cn</a></p>
 <p><script>alert("Hacked By Fisher762")</script>Go To hell</p>
</div>

He successfully inserted illegal code to the page, and displayed an ugly message 'Hacked By Fisher762' everytime the page loaded. No clue where the popup is coming from, until I read the HTML source carefully. very clever.

How did I solve this

After the accident, I realize that I have to check every input that comes from clients. Like they say, never trust user's data. So I write a function to check incoming data for illegal code or even something not usual.

<?php
function is_spamming($text)
{
    $re_spam = array
    (
        "alert\s*\(",   /* no more alerts */
        "<[^>]*script", /* no javascripts */
        "<%",           /* no PHP         */
        "<[^>]*"        /* even no HTML!  */
    );
    
    $found = 0;
    
    foreach($re_spam as $re) {
        $num = preg_match("/$re/i", $text, $matches);
        $found += $num;
    }
    
    if ($found > 0) {
        return true;
    } else {
        return false;
    }
}

/* insert new comment */
if ($_SERVER['REQUEST_METHOD'] == "POST") {
    /* This is much better, 
       no more (easy) web spamming to this site */
    if (is_spamming($_POST['name']) ||
        is_spamming($_POST['email']) ||
        is_spamming($_POST['website']) ||
        is_spamming($_POST['comment'])) 
    {
        header("Location: http://www.google.com");
        exit;
    }
    
    $name    = $_POST['name'];
    $email   = $_POST['email'];
    $website = $_POST['website'];
    $comment = $_POST['comment'];
    
    $sql = "insert into comments "
         . "values ('$name', '$email', '$website', '$comment')";
    $result = $db->query($sql);
}
?>

Keywords: web spamming, hacking, code injection, php, javascript

Share:   Save to del.icio.us   Digg this!