On Tue, February 21, 2006 12:19 pm, cKc Consultants wrote:
> An email form that uses a simple server side php code to send the
> variable
> values managed to send:
Here is a stripped-down version of what happened:
YOUR BAD CODE:
<?php if (isset($email)){
//This next line blindly embeds the user input "$email"
//into the headers of an email message.
//This pretty much turns your server into a spam-factory.
//Don't do that!
mail('ckccnslt@xxxxxxxxxxxxxxxxxx', "From Web", $message, "From:
$email");
} ?>
<form action="hackable.php" method="post">
Your Email: <input name="email"><br />
Your Message: <textarea name="message" wrap="virtual" cols="20"
rows="10"></textarea><br />
<input type="submit" name="hack_me" value="send us email">
</form>
Here is a crude script specifically crafted to abuse the above page.
You can assume the spammers are a bit more sophisticated than this.
<?php
$hack_data = "Content-Type: multipart/alternate;\r\n...";
$post_vars = "email=$hack_data&message=&hack_me=send+us+email";
$data_len = strlen($post_vars);
$socket = fsockopen("http://example.com";, 80);
fwrite($socket, "POST /hackable.php HTTP/1.0\n");
fwrite($socket, "Host: example.com\n");
fwrite($socket, "Content-length: $data_len\n");
fwrite($socket, $post_vars);
?>
> Content-Type: multipart/alternative;
>> boundary=5c7c7e682d991e8ec1f6825582ea2103
>> MIME-Version: 1.0
>> Subject: round a rock by way of anchorage
>> bcc: charieses329@xxxxxxx
>>
>> This is a multi-part message in MIME format.
>>
>> --5c7c7e682d991e8ec1f6825582ea2103
>> Content-Type: text/plain; charset=\"us-ascii\"
>> MIME-Version: 1.0
>> Content-Transfer-Encoding: 7bit
>>
>> system expict th time is
>> --5c7c7e682d991e8ec1f6825582ea2103--
>>
>
> This appears between responses to "$msg.=" and shouldn't be something
> the
> user could see. In order to figure out how to prevent this, I need to
> know
> how it was done. I know I need to validate the email address more
> closely,
> but I'm curious as to what created this. I've found some interesting
> articles on the web, but nothing seems to deal with this issue.
> Pointing me
> in the right direction would be appreciated!
Having the above kind of junk in the message body itself is not really
a huge huge problem -- And it's almost impossible to avoid it without
crippling the legitimate input for a message BODY.
Buuuuuuuuuuuuuuuuuuuuuuut:
An email address, which you are splicing into the HEADERS as the
fourth argument to PHP's http://php.net/mail function should *NOT*
have any kind of crap like this in it.
In fact, if an email contains a newline, you can pretty much assume
the user is a spammer trying to abuse your script to do Evil Things...
Actually, a "real" user might manage to have a leading/trailing
newline when they paste an email address into a web form.
Amened the preceding statement to:
If an email contains an embedded newline, they are a spammer.
So, to secure your mail() script do this:
$email = trim($_REQUEST['email']);
if (strstr($email, "\n")){
die("spammer");
}
//now it's "safe" to send the email.
You also should sanitize the input for $subject since that ALSO gets
spliced into the headers of an email.
You could, perhaps, perform additional validation upon $email, looking
for a specific format involving @ and "dots" and so forth -- but be
warned that you are likely to inadvertantly reject valid email
addresses, and are guaranteed to accept worthless email addresses no
matter how rigorous your validation...
So I personally don't think it's wise to attempt to validate an email
address as syntactically valid "email address" for a simple form mail.
But then, I've been burned by a BUNCH of web-sites that reject MY
email address as "invalid" and am biased by that. :-)
--
Like Music?
http://l-i-e.com/artists.htm
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
