|
|
Posted by stirrell on 08/06/06 20:00
Hello,
One problem that I had been having is stopping email injections on
contact forms. I did some research, read up on it and felt like I had
created a working solution. I hadn't gotten any suspicious bouncebacks
in quite some time and got many custom alerts I had set up for
notifying me of injection attempts. However, just the other day, I got
a bounceback from an AOL address which leads me to believe that an
injection attempt was successful. I was hoping that someone here could
help me out.
Here is the code that I am using to check for injections:
function containsInjectionAttempt($input) {
if (eregi("\r", $input) ||
eregi("\n", $input) ||
eregi("%0a", $input) ||
eregi("%0d", $input) ||
eregi("Content-Type:", $input) ||
eregi("bcc:", $input) ||
eregi("to:", $input) ||
eregi("cc:", $input)) {
return true;
} // end of if
else {
return false;
} // end of else
} // end of containsInjectionAttempt function
// Check for injection attempts
if (containsInjectionAttempt($_POST['userName']) ||
containsInjectionAttempt($_POST['address']) ||
containsInjectionAttempt($_POST['address2'])
|| containsInjectionAttempt($_POST['city']) ||
containsInjectionAttempt($_POST['zip']) ||
containsInjectionAttempt($_POST['phone'])
|| containsInjectionAttempt($_POST['email'])) {
// There has been an injection attempt
while (list($key, $value) = each($_POST)) {
$message .= $key.": ".$value."\n";
} // end of while
mail ("me@test.com", "Injection attempt on Web Site", $message,
"From: info@website.com");
$mailSuccess = 1;
} // end of if
Then, if the mailSuccess variable is set to 1, it sends out the email.
There is also a comments textarea that I do not run through the
injection check. It is my (possibly incorrect?) understanding that
anything going into the message body does not need to be checked for an
injection attempt since it should not be able to affect the headers. A
problem with checking a textarea against the injection check would be
that it would mark most legitimate messages as injections since it
looks for \r and \n. At least this is my understanding.
I was wondering if someone could tell me if there is a vulnerability in
the code and, if so, if there is a way to patch it. Thanks so much for
your help! This has been a frustrating problem that I thought I had
solved.
Scott
Navigation:
[Reply to this message]
|