On Tue, February 21, 2006 12:19 pm, cKc Consultants wrote: > An email form that uses a simple server side php code to send the > variable > values managed to send: Here is a stripped-down version of what happened: YOUR BAD CODE: <?php if (isset($email)){ //This next line blindly embeds the user input "$email" //into the headers of an email message. //This pretty much turns your server into a spam-factory. //Don't do that! mail('ckccnslt@xxxxxxxxxxxxxxxxxx', "From Web", $message, "From: $email"); } ?> <form action="hackable.php" method="post"> Your Email: <input name="email"><br /> Your Message: <textarea name="message" wrap="virtual" cols="20" rows="10"></textarea><br /> <input type="submit" name="hack_me" value="send us email"> </form> Here is a crude script specifically crafted to abuse the above page. You can assume the spammers are a bit more sophisticated than this. <?php $hack_data = "Content-Type: multipart/alternate;\r\n..."; $post_vars = "email=$hack_data&message=&hack_me=send+us+email"; $data_len = strlen($post_vars); $socket = fsockopen("http://example.com", 80); fwrite($socket, "POST /hackable.php HTTP/1.0\n"); fwrite($socket, "Host: example.com\n"); fwrite($socket, "Content-length: $data_len\n"); fwrite($socket, $post_vars); ?> > Content-Type: multipart/alternative; >> boundary=5c7c7e682d991e8ec1f6825582ea2103 >> MIME-Version: 1.0 >> Subject: round a rock by way of anchorage >> bcc: charieses329@xxxxxxx >> >> This is a multi-part message in MIME format. >> >> --5c7c7e682d991e8ec1f6825582ea2103 >> Content-Type: text/plain; charset=\"us-ascii\" >> MIME-Version: 1.0 >> Content-Transfer-Encoding: 7bit >> >> system expict th time is >> --5c7c7e682d991e8ec1f6825582ea2103-- >> > > This appears between responses to "$msg.=" and shouldn't be something > the > user could see. In order to figure out how to prevent this, I need to > know > how it was done. I know I need to validate the email address more > closely, > but I'm curious as to what created this. I've found some interesting > articles on the web, but nothing seems to deal with this issue. > Pointing me > in the right direction would be appreciated! Having the above kind of junk in the message body itself is not really a huge huge problem -- And it's almost impossible to avoid it without crippling the legitimate input for a message BODY. Buuuuuuuuuuuuuuuuuuuuuuut: An email address, which you are splicing into the HEADERS as the fourth argument to PHP's http://php.net/mail function should *NOT* have any kind of crap like this in it. In fact, if an email contains a newline, you can pretty much assume the user is a spammer trying to abuse your script to do Evil Things... Actually, a "real" user might manage to have a leading/trailing newline when they paste an email address into a web form. Amened the preceding statement to: If an email contains an embedded newline, they are a spammer. So, to secure your mail() script do this: $email = trim($_REQUEST['email']); if (strstr($email, "\n")){ die("spammer"); } //now it's "safe" to send the email. You also should sanitize the input for $subject since that ALSO gets spliced into the headers of an email. You could, perhaps, perform additional validation upon $email, looking for a specific format involving @ and "dots" and so forth -- but be warned that you are likely to inadvertantly reject valid email addresses, and are guaranteed to accept worthless email addresses no matter how rigorous your validation... So I personally don't think it's wise to attempt to validate an email address as syntactically valid "email address" for a simple form mail. But then, I've been burned by a BUNCH of web-sites that reject MY email address as "invalid" and am biased by that. :-) -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php