• Tuesday, January 19, 2016

Content Management Systems are a prime base camp for triggering malicious activity. These CMS are commonly used by people who doesn't have much idea about coding and scripting. The hackers create a hand full of useful components for these cms. The people who have very less or no knowledge about coding will use these components without inspecting what it actually does. For easy spamming, they include mailing scripts to send out tones of spam emails.

Using outdated core and components also victimizes the domain owner. These components will have serious security holes which help intruders to get access to the filesystem and trigger malicious activities. When ever an update is available, please apply it as soon as possible.

PHP mail function is one of the way to send out anonymously/spoofed emails. In our case we commonly use this on our contact us web forms. This mail form act as a smtp proxy, this function takes ([RECIPIENT],[SUBJECT],[MESSAGE],[EXTRAHEADERS], [EXTRAPARAMS]) as parameters. There are numerous additional fields that can be specified in the mail headers, For example 'Cc' (Carbon Copy), which sends a copy of the message to the email addresses given as arguments, 'Bcc' (Blind Carbon Copy) which sends a carbon copy of the message just like with the 'Cc' header.

By entering hexadecimal characters in the form field they are able to add carriage returns and spaces. So the following string entered in a form field such as "Your Email" will result in a carbon copy of the email being sent to recipient@someothersite.xxx and a blind carbon copy being sent to victim2@victimsdomain.xxx and victim3@victimsdomain.xxx

Many sites provide the possibility to "email this page to a friend" "contact us" through a web form, the resulting email softly suggests to "visit our website" on behalf of the user that filled in the form with his personal email address. Even though the subject and the message are hardcoded, there is still a way to inject headers.

To completely eliminate the possibility of php mail() function being exploited, we will be disabling this function on our servers. For sending out emails you may use phpmailer with smtp auth. A sample script to achieve this is mentioned bellow.


$mail = new PHPMailer();

$mail->IsSMTP();                                      // set mailer to
use SMTP
$mail->Host = "mail.yourdomain.com";  // specify main and backup server
$mail->SMTPAuth = true;     // turn on SMTP authentication
$mail->Username = "youremailid@domain.com";  // SMTP username
$mail->Password = "yourpassword"; // SMTP password

$mail->From = "youremailid@domain.com";
$mail->FromName = "Mailer";
$mail->AddAddress("myname@myname.com", "My Name");        // name is
$mail->AddReplyTo("info@example.com", "Information");

$mail->WordWrap = 50;                                 // set word wrap
to 50 characters
$mail->IsHTML(true);                                  // set email
format to HTML

$mail->Subject = "Here is the subject";
$mail->Body    = "This is the HTML message body <b>in bold!</b>";
$mail->AltBody = "This is the body in plain text for non-HTML mail

   echo "Message could not be sent. <p>";
   echo "Mailer Error: " . $mail->ErrorInfo;

echo "Message has been sent";

Please feel free to submit a ticket if you need help.

We will disable it on Wednesday at 04h00 a.m. (EST) on 20th of January, 2016