|
|
Posted by Miguel Cruz on 08/06/06 21:59
stirrell@integrastrategic.com wrote:
> One problem that I had been having is stopping email injections on
> contact forms. I did some research, read up on it and felt like I had
> created a working solution. I hadn't gotten any suspicious bouncebacks
> in quite some time and got many custom alerts I had set up for
> notifying me of injection attempts. However, just the other day, I got
> a bounceback from an AOL address which leads me to believe that an
> injection attempt was successful. I was hoping that someone here could
> help me out.
>
> Here is the code that I am using to check for injections:
>
> function containsInjectionAttempt($input) {
> if (eregi("\r", $input) ||
> eregi("\n", $input) ||
> eregi("%0a", $input) ||
> eregi("%0d", $input) ||
> eregi("Content-Type:", $input) ||
> eregi("bcc:", $input) ||
> eregi("to:", $input) ||
> eregi("cc:", $input)) {
> return true;
> } // end of if
> else {
> return false;
> } // end of else
> } // end of containsInjectionAttempt function
>
> // Check for injection attempts
> if (containsInjectionAttempt($_POST['userName']) ||
> containsInjectionAttempt($_POST['address']) ||
> containsInjectionAttempt($_POST['address2'])
> || containsInjectionAttempt($_POST['city']) ||
> containsInjectionAttempt($_POST['zip']) ||
> containsInjectionAttempt($_POST['phone'])
> || containsInjectionAttempt($_POST['email'])) {
> // There has been an injection attempt
> while (list($key, $value) = each($_POST)) {
> $message .= $key.": ".$value."\n";
> } // end of while
> mail ("me@test.com", "Injection attempt on Web Site", $message,
> "From: info@website.com");
> $mailSuccess = 1;
> } // end of if
>
> Then, if the mailSuccess variable is set to 1, it sends out the email.
> There is also a comments textarea that I do not run through the
> injection check. It is my (possibly incorrect?) understanding that
> anything going into the message body does not need to be checked for an
> injection attempt since it should not be able to affect the headers. A
> problem with checking a textarea against the injection check would be
> that it would mark most legitimate messages as injections since it
> looks for \r and \n. At least this is my understanding.
It looks to me like you are checking a bunch of stuff you don't need to
- do any of userName, address, address2, city, zip, phone, or email end
up in the headers of the message you send out? I would assume they all
end up in the body.
What you need to look at would be the stuff that does go into the
headers - a likely suspect would be anything used to build the Subject.
If you build a "From:" header from the userName or email values then you
do need to check those.
miguel
--
Photos from 40 countries on 5 continents: http://travel.u.nu
Latest photos: Malaysia; Thailand; Singapore; Spain; Morocco
Airports of the world: http://airport.u.nu
Navigation:
[Reply to this message]
|