Re: novice with hacked email form issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,

on 02/21/2006 03:19 PM cKc Consultants said the following:
> An email form that uses a simple server side php code to send the variable
> values managed to send:
>
>
> Content-Type: multipart/alternative;
>> boundary=5c7c7e682d991e8ec1f6825582ea2103
>> MIME-Version: 1.0
>> Subject: round a rock by way of anchorage
>> bcc: charieses329@xxxxxxx
>>
>> This is a multi-part message in MIME format.
>>
>> --5c7c7e682d991e8ec1f6825582ea2103
>> Content-Type: text/plain; charset=\"us-ascii\"
>> MIME-Version: 1.0
>> Content-Transfer-Encoding: 7bit
>>
>> system expict th time is
>> --5c7c7e682d991e8ec1f6825582ea2103--
>>
>
> This appears between responses to "$msg.=" and shouldn't be something the
> user could see. In order to figure out how to prevent this, I need to know
> how it was done. I know I need to validate the email address more closely,
> but I'm curious as to what created this. I've found some interesting
> articles on the web, but nothing seems to deal with this issue.
Pointing me
> in the right direction would be appreciated!

The problem is that you are using unverified data came from the form
directly into the message. It is easy to hack your form because you are
neglecting the fact that an e-mail field may contain line breaks. This
opens the chance for hackers to add extra headers and even message body
data, as the PHP mail() function is very weak and does nothing reject
abusive data.

If you are looking for a more robust solution, take a look at this MIME
message composing class. Not only it can encode special characters that
can be legitemately fed to the message, but it also escapes line breaks
on headers, so any attacks like you suffered are suppressed, even when
you do not validate the form fields for valid e-mail addresses as you
should have done:

http://www.phpclasses.org/mimemessage


-- 

Regards,
Manuel Lemos

Metastorage - Data object relational mapping layer generator
http://www.metastorage.net/

PHP Classes - Free ready to use OOP components written in PHP
http://www.phpclasses.org/

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux