Hey folks...
We've been seeing an increased number of abuse reports and customer complaints regarding various issues that have been determined to have a root problem in one of the php scripts on their server being compromised and sending spam.
Many times these scripts have been found to have injection capabilities to make a submit form for example not only send mail to the one person specified, but also many others.
You can read more about this vulnerability at:
http://securephp.damonkohler.com/ind...mail_Injection
The above URL has the issue pretty well documented and covers a potential solution. I'm going to summerize below and try to keep it in "english", so forgive me if it seems I'm being very basic with the explaination.
Essentially it would add a mod_security rule to filter out the ability to pass "bcc", "cc", and "to" phrases through the URL bar. It would keep someone from taking a mailer.php form and adding "extra" recipients to it.
The downside to this is if you have a script that posts information via URLs (such as
http://mydomain.com/script/php?id=tommy or username=ccnnaa), this would be blocked.
mod_security by default would apply this to ALL domains. However, if you wanted one domain to not be protected by mod_security, you could add a directive to the domain's httpd.conf record:
<IfModule mod_security.c>
SecFilterEngine Off
</IfModule>
That would disable ALL mod_security protection for the domain, so be careful using that.
If anyone is interested in trying this out on their server, please feel free to open a support ticket and a tech would be happy to apply this for you. And of course you're welcome to give it a shot adding it yourself. Just open your mod_security.conf file (the location varies depending on your panel), add the extra line, save it, and restart Apache.
If you do try this, please post here with your expierences. I'm interested in knowing how well this would work possibly in a larger deployment, etc.
PHP Mail Script Exploits
Linear Mode
