WordPress.org

Ready to get started?Download WordPress

Forums

password protection [sic] bypassed;-( (77 posts)

  1. churchtown
    Member
    Posted 8 years ago #

    Have already suffered an actual 'email injection' breach because I was unaware that WP-ContactForm v1.1 needed to be updated to v1.4.3 (for WP2.0.1). Bad Behavior v1.2.4 is now also active, it's currently 412'ing the continuing email injection attempts. MySQL is filling up.

    Hoping to quash the current takeover activities have implemented the password protection [sic] feature on the contact form's static page. Another static page called 'password' shows a simple cryptic clue to the password - ie it'll stop robots/scripts but not people.

    The logs show nice people going through the password area and on to the contact form.

    The logs show nasty scripts completely ignoring ie bypassing the password area and implementing the POST directly.

    How is this allowed!? More importantly what may I do to defend my WordPress sites?

  2. whooami
    Member
    Posted 8 years ago #

    http_post is how its allowed, and yes, ppl can use http_post from another server. it's just like any other form that uses http_post.

    I just looked at the sent headers on Ryan's demo, and I have a suggestion...

    At the very least, in lieu of him implementing some sort of check to make sure its ONLY being called from the domain its installed one (yes that can and ought to be done).. a quick and dirty fix would be a simple referer check:

    RewriteCond %{HTTP_REFERER} "!^http://www.your-domain.com/.*$" [NC]
    RewriteCond %{REQUEST_POST} ".*contact.php$"
    RewriteRule .* - [F]

    Adding that to your .htaccess will prevent someone from using http_post (99.9% of the time) to call the form remotely. They could spoof the referer but its more work that the typical spammer is going to do.

    Like I said, ideally ALL of these scripts should be written to check the referer. I use a secure contact script that does so -- it's not that hard to do

    -------

    Btw, this is the the same way most comment spam occurs. Those arent ppl hitting your site; they are scripts, being run from remote servers or boxes, and its simpler to check that referer, and yet its typically not done. I do do it, however.

  3. c0y0te
    Member
    Posted 8 years ago #

    Whoami - what secure contact script do you use? Can you link it please? Thanks.

  4. churchtown
    Member
    Posted 8 years ago #

    So the password vector is largely pointless or just simply irrelevant?

    I had already hinted to the WP-ContactForm author about my own perceived need for at least a rudimentary paper trail check...

    Was trying the .htaccess vector but only half got it right.;~/ A moderate improvement to your suggestion would be to use [F,L] and not just [F]. '[L]ast' breaks any further local processing which might otherwise confuse things.

    I'm curious and would like to see your secure contact script too...;~)

  5. churchtown
    Member
    Posted 8 years ago #

    whooami: That .htaccess clause did not work against the criminals nor in my own telnet experiments with and without the Bad Behavior module loaded. I should surely be able to do a simple REFERER check on these POST attempts!? Assistance to effect this would be appreciated as I fear it is a matter of time before they realise or stumble upon a workaround;~/

  6. whooami
    Member
    Posted 8 years ago #

    churchtown,

    it would certainly be easier to help if I knew the page that I was supposed to be helping with. That way EYE can test.

  7. churchtown
    Member
    Posted 8 years ago #

    whooami: Is there a private messaging (eg member to member) facility here on this forum over which I can pass you the details?

  8. whooami
    Member
    Posted 8 years ago #

    ctown, drop me a note via the contact page on my site @ http://www.village-idiot.org and i will be more than happy to help :)

  9. churchtown
    Member
    Posted 8 years ago #

    whooami: intro now in your (love-mail) box;~)

  10. c0y0te
    Member
    Posted 8 years ago #

    whooami - any chance you can link to this so-called secure contact form? Is this a WP plugin?

  11. churchtown
    Member
    Posted 8 years ago #

    coyote: whooami might be busy, she hasn't yet got in contact. From my own fumblings I have since dropped my use of WP-ContactForm (Ryan seems content to leave blocking to the Bad Behavior plugin); adopted and later dropped my use of the PXS Mail Form which is a WP-ContactForm derivative (the author has not yet responded to either of my entries on his contact blog); and lastly has adopted a seemingly more secure form referenced in another WP thread:
    http://wordpress.org/support/rss/topic/60629
    This *may* be the more secure form to which whooami alludes. I am trying it out at the moment - with and without the Bad Behavior plugin.

  12. whooami
    Member
    Posted 8 years ago #

    Hi Robert,

    I havent forgot about you -- unfortunately my 4 day work schedule is kicking my ***. I did get both emails and will have a look this coming friday. Hopefully, you can have something that works by the middle of my weekend. :)

  13. churchtown
    Member
    Posted 8 years ago #

    whooami: Appreciated;~)

    The Custom Contact Me/Us plugin is still a bit twitchy, which seems to reflect its active development, but has appeared to do its stuff so far. However a bunch of remote POSTs were made overnight while this plugin was in operation. Bad Behavior trapped them as similarly it has been doing for the previous pair of plugins.

    Despite my lack of programming experience/knowledge it appears to me that it all might be more to do with how easily the http_post thingummy of WP's is used/misused rather than the effective security precautions fashioned by any plugin ie WordPress core code?

    For my own part I've noticed that the perpetrators seem to be getting tired/bored/disinterested or are running out of IPs. Alternatively perhaps they are pretending to be so for some nefarious purpose being cooked up. I am ensuring that they at least are forced to use fresh IPs on each sortie by locking out those IPs used to attack my sites. Have been doing this for some weeks now and if they ever want to put their heads above the parapet I would like to thank them for helping me to populate my own server's personal RBL, before blowing their heads off.

    ----best wishes, Robert

  14. churchtown
    Member
    Posted 8 years ago #

    The perpetrating bots are back;~/

    At the moment I have Bad Behaviour offline so I don't specifically know if it's the same bunch but, at a guess, it's the same deviants. The Custom Contact Me/Us plugin is active. I've configured it to redirect on success to the home page blindly (OK it's a bit tough on naive visitors but I'm feeling slightly tough at the moment). As it goes back to the home page when the plugin detects a 'bad un' they aren't getting so much intelligence on each strike wave. Am experimenting with variations on the various .htaccess files.

    Would somebody **PLEASE** fill me in on this http_post mechanism that they have been using so effectively these last few weeks;~| Maybe I can cobble together something to blow up in their faces.

    ----best wishes, Robert

  15. whooami
    Member
    Posted 8 years ago #

    ive explained in a nutshell what you need to do.. rather than worry about whether or not its a post, do this, for the time being:

    ## Things only called from this server

    RewriteCond %{HTTP_REFERER}"!^http://www.good.org/.*$" [NC]
    RewriteCond %{REQUEST_URI} ".*contact.php$"
    RewriteRule .* - [F]

    Since you said in your email to me that you are running multiple domains, you will need to adjust that accordingly. And remember to fill in the good.org and contact with the real names.

    This will keep anyone from accessing the partcular page without having your site in their referer. This includes http_posts and http_gets.

    if you want to allow another domain to be a referer, you merely add another similar line like so :
    RewriteCond %{HTTP_REFERER}"!^http://www.good.org/.*$" [NC]
    RewriteCond %{HTTP_REFERER}"!^http://www.2-good.org/.*$" [NC]
    RewriteCond %{REQUEST_URI} ".*contact.php$"
    RewriteRule .* - [F]

    ... adding a third would be done the same way.

    -----------

    as for what I pasted in my first reply, that should work also. however this last bit of code, I know works since its exactly what I use on my own site.

  16. whooami
    Member
    Posted 8 years ago #

    here is just another idea. Has anyone writing these plugins considered sending the http_post off to another page, rather than posting to $PHP_SELF or _self. Thats another very simple way of obfuscating the actual page that contains the http_post

  17. churchtown
    Member
    Posted 8 years ago #

    They are NOT accessing the page, so there's no point in my attempting to stop them accessing the (contact) page.

    AFAIK they don't go anywhere near it or anywhere else on my site(s). They simply slam in a POST command via this http_post thingummy. All the usual WP commenting traps and safety stuff is of no use as *the page is never accessed*. They are just slamming in a blind POST... well, that's how I see it.

    I've sleuthed around and the http_post thingummy is nothing specifically to do with WP, it seems it's PHP stuff in my Apache server that is called upon to perform (possibly by something known as cURL) by http_post via the POST command.

    Here are my (largely useless) .htaccess lines (which haven't stopped my incoming POSTs...

    RewriteCond %{HTTP_REFERER} !^http://.*.mysite.com/wordpress/wp-content/plugins/custom-contact/custom-contact-email.php$ [NC]
    RewriteCond %{REQUEST_METHOD} ^POST$
    #RewriteCond %{REQUEST_POST} .*.php
    RewriteRule .* - [F,L]

  18. whooami
    Member
    Posted 8 years ago #

    they are accessing the page. theyre accessing it remotely. You are misunderstanding how it works.

    simple.php contains a form that sends info -- it might be a guestbook entry, it might be an email. It does NOT matter. Forms send data via an http_post.

    http_posts can be sent from anywhere. I can write a simple script, that will auto-populate any fields your form requires and send an http_post from MY server to yours.

    The form resides on the page, therefore I AM accessing the page.

    Thats the entire idea behind writing forms that send their particular http_post of to ANOTHER page.

  19. whooami
    Member
    Posted 8 years ago #

    Ill show you exactly what I mean.

    Click this link:

    http://www.village-idiot.org/vi-comment.php

    You CANNOT submit ANY comments to my site unless your referer matches what I want. vi-comment.php contains the form responsible for sending comments.

    If it were NOT for what I have done, comment submission could be done remotely also.

  20. vkaryl
    Member
    Posted 8 years ago #

    I just want you to know, whooami, that I have learned more about this sort of thing from reading your posts in this thread than I did after a week of reading stuff in hundreds of places "otherwhere" online.

    Thanks.

  21. churchtown
    Member
    Posted 8 years ago #

    I'm not talking about comments... everything is fine with comments. Comments have to have their pages, so to speak, accessed and your suggestions work properly for comment pages.

    This is all about the contact page area. Unfortunately, as the hackers have found out, their bots do NOT have to actually access the contact page or go anywhere near it. And so all the comment page protections are inappropriate. As they don't need to go anywhere near the contact page then conventional REFERER protection is equally irrelevant.

    I spent an hour or two researching what this might mean.
    This might explain a thing or two to a programmer:

    http://www.faqts.com/knowledge_base/view.phtml/aid/15705/fid/2

    <?php

    function HTTP_Post($URL,$data, $referrer="") {

    // parsing the given URL
    $URL_Info=parse_url($URL);

    // Building referrer
    if($referrer=="") // if not given use this script as referrer
    $referrer=$_SERVER["SCRIPT_URI"];

    // making string from $data
    foreach($data as $key=>$value)
    $values[]="$key=".urlencode($value);
    $data_string=implode("&",$values);

    // Find out which port is needed - if not given use standard
    (=80)
    if(!isset($URL_Info["port"]))
    $URL_Info["port"]=80;

    // building POST-request:
    $request.="POST ".$URL_Info["path"]." HTTP/1.1\n";
    $request.="Host: ".$URL_Info["host"]."\n";
    $request.="Referer: $referrer\n";
    $request.="Content-type: application/x-www-form-urlencoded\n";
    $request.="Content-length: ".strlen($data_string)."\n";
    $request.="Connection: close\n";
    $request.="\n";
    $request.=$data_string."\n";

    $fp = fsockopen($URL_Info["host"],$URL_Info["port"]);
    fputs($fp, $request);
    while(!feof($fp)) {
    $result .= fgets($fp, 128);
    }
    fclose($fp);

    return $result;
    }

    $output1=HTTP_Post("http://www.server1.com/script1.php",$_POST);
    $output2=HTTP_Post("http://www.server2.com/script2.php",$_POST);

    ?>

    Only thing is it doesn't tell me how I might stop it;~| It's late g'night.

    ----best wishes, Robert

  22. Chris_K
    Member
    Posted 8 years ago #

    I'm no PHP guru, but that looks like it builds up an HTTP POST or two when it's all said and done. Which needs a target page.

  23. neon
    Member
    Posted 8 years ago #

    Have you tried the PXS Mail form plugin?

    http://www.phrixus.co.uk/pxsmail/

  24. churchtown
    Member
    Posted 8 years ago #

    neon: yes...
    http://wordpress.org/support/topic/61091?replies=23#post-331103
    It's been a long day&night and it's now 2.40am here... g'night.

  25. neon
    Member
    Posted 8 years ago #

    Sorry, churchtown, apparently I'm blind. Nite. :)

  26. whooami
    Member
    Posted 8 years ago #

    For starter, I realize what I pasted was specific to comments. BOTH use an http_post.

    ----------

    // Building referrer
    if($referrer=="") // if not given use this script as referrer
    $referrer=$_SERVER["SCRIPT_URI"];

    -----

    Basically that snippit does 2 things, and pay close attention when I say this: THEY ARE ACCESSING THE PAGE (once again) THEY ARE JUST DOING IT REMOTELY)

    1. it allows a blank referer
    2. takes a blank referer and makes the script the referer.

    Therefore, the http_post appears to be coming from your site, when in fact, it might not. THEREFORE, a simple .htaccess rule prohibiting such access will be cirumvented.

    To get around that what needs to be done is this:

    contact php contains:

    <form action post="this-actually-proccesses-data.php">

    and an .htaccess rule that blocks ALL access to this-actually-proccesses-data.php unless it comes from contact.php

    NOT just your domain, but the actual refering page -- The ONLY PAGE that should be calling it.

    Do you follow?

    And Ive already suggested that these scripts are written like that above.

    If you want a VERY simple contact script that uses that sort of set-up, then try out the one that podz' uses. The name escapes me, and I am at work so I cannot hunt for it. It has a simple ban function, doamin checking AND uses a secondary page to actually parse the data within the submitted form.

    sc-contact, or something like that. Im sure podz can pipe in with the name.

  27. whooami
    Member
    Posted 8 years ago #

    my apologies as Im at work so I wasnt able to look real well .. however..

    referrer=$_SERVER["SCRIPT_URI"]; is the name of the script the remote user IS using.

    That is not to say that the domain referer cannot be spoofed in other ways.

  28. whooami
    Member
    Posted 8 years ago #

    churchtown, I plan on asking via email also, but in the event you read this before your email -- it would help me immensely if i could see a day or 2's worth of your raw server logs from Apache-- and obviously I need them to include hits to your contact form, ie the page in question.

    To that note, also, just to reinforce what I have been saying all along, look again at the script you pasted; the last 2 lines state

    $output1=HTTP_Post("http://www.server1.com/script1.php",$_POST);

    script1.php in this example is ANY insecure FORM on a page.

    Surfing the web is made up of a series http_posts and http_gets, forms happen to use http_posts. Accessing the form requires accessing the page.

  29. churchtown
    Member
    Posted 8 years ago #

    whooami:

    I feel a little embarrassed, you did say you wanted to work on this later in the week maybe at the weekend;~/

    The snippet above was just something I tripped over in my trawling of the net to derive some intelligence about what was, strike that, IS being perpetrated on my WP sites through their contact pages.

    I have now tried two iterations of Ryan's plugin (WP-ContactForm and PXS Mail Form) and am now on my third flavour of contact facility - the Custom Contact Me/Us plugin.

    Have seen no difference to the incoming POSTs other than initial breach suffered under Ryan's early v1.1 which was later plugged with v1.4.3. In case these bots are able to continue to use the other (previously installed) contact form mechanisms I have moved them out of reach of the web.

    The Custom Contact Me/Us plugin contains a page access timing element (anti-flood protection?) and I had it set to 30secs. Overnight several POSTs were lodged on the same sites from the same IP that were spaced just a few seconds apart. Perhaps the page accesss timing element thing isn't working (I've now set it to 180secs). Perhaps the bots just aren't accessing the pages...

    My access logs carry only these POST entries. Perhaps the bots are using a command line entry system that has a internal REFERER element to get around the .htaccess check. Nevertheless the logs are showing no other page accesses than the single POST entries.

    The blog sites virtual domains' .htaccess files carry the precise blocking REFERER check you have suggested and also those of my own. I must point out that these .htaccess clauses are not working;~/

    These POSTs continue to be lodged blindly. I call them blindly because it doesn't seem to matter what flavour of contact page my sites are carrying because they really don't seem to look at any of my pages. You call it being remotely accessed. Fine, I will happily defer to your experience;~)

    I would like to completely arrest these remote access connections to the point where these POST entries don't even appear in my logs. Three changes of contact page plugin later, with the addition of the REFERER checking .htaccess clause you've suggested, I see absolutely no change in what these people and their bots are perpetrating on my WP sites.

    In short I have made no progress in this thread at beating the current machinations of these criminals and their nefarious activities on my WP sites' contact mechanisms.

    ----best wishes, Robert

  30. churchtown
    Member
    Posted 8 years ago #

    whooami----
    Sorry, I missed your text (I never actually looked) I thought your time zone was behind us and I haven't had enough caffeine yet. Yes, of course, I will cobble together some raw material. Are you a PC or a MAC person?
    ----best wishes, Robert

Topic Closed

This topic has been closed to new replies.

About this Topic