On Fri, Nov 18, 2005 at 05:06:36PM -0800, Ligaya Turmelle wrote: > > >$message - yes > >--------------- > >This usually can go without any special escaping, unless you have > >certain headers (the Boundary: header) or allow an injection into > >the $additional_headers field. If this is the case a malicious > >user could attach a virus to be sent anonymously. > > Shouldn't you also worry about html script tags in the body of an HTML > email? Couldn't a person also use those to send you a nasty "present"? This is more of a second hand issue, but still valid nonetheless. Depending on the client that sees the email and the context the email was sent in, for example: It is a rather common thing to send two parts, one just plain text and another one with markup (usually html), and depending on how the client reads things and displays it to the user, the outcome could be lead to problems. I usually use the Boundary: header as a good example of how one could take advantage of non-escaped data, but that doesn't protect someone from sending some well formed message that might perhaps do some phishing type thing. > > > > >$additional_headers - yes > >------------------------- > >As with $to, $subject you need to make sure \r and/or \n are > >removed or escaped properly. The most common used header is the > >>From header: > > > > From: "$fromname" <$fromemail> > > > >As noted in the $message section, if you have dont take care in > >ensuring this paramater isn't done correctly you could potentially > >allow the user to setup their own Boundary: header, which then > >would allow them to freely make what ever attachments they like. > > > >Also this is where the open (well psudo open) relay occurs, if you > >dont filter things properly, you can open up the CC: and BCC: > >headers, allowing the person to anonymously send emails. > > why would a person allow a user to input header information on a web > form? That sounds like a HUGE security hole or is there someway I just > can't see? The thing is that they dont realize that it is being allowed. If i dont protect the variable $fromname from the ability to allow a \n or \r\n someone could send me that results with: $_POST['fromname'] == "your friend\" <me@xxxxx>\r\nBCC: [a list of peoplel]\r\nNull: \""; Resulting in: From: "your friend" <me@xxxxx> BCC: [a list of people] Null: "" <thefromemail> and if I want to be tricky i'd slip in a coupld Recieved: headers to throw off people the hint of what route the message took. Or mabey another Subject: header to by pass the previous rules on subject so I can get the subject I want. Curt. -- null -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
