|
Posted by J.O. Aho on 12/11/06 16:31
Shooter wrote:
> I think this is working - I got 2 new attempts this morning. I can see where
> they still input the "Content-Transfer-Encoding: quoted-printable
> Content-Type: text/html Subject: [spam]...", but they incl the BCC in the
> field that I have for interested parties to submit their URL for me to
> review. I can't tell from what I'm seeing online -- will the mail injection
> work on ANY field in the form? Or can the CC or BCC be included only in the
> FROM field? Do I need to apply the preprocessHeaderField function on ALL
> fields in the form? I want to ensure that the BCC I'm seeing in the website
> field didn't actually generate a spam to someone else.
Anything that is injected as mail header has to come to the fourth "option" in
the mail function.
mail($to, $subject, $message, $headers);
If you have a TO-field in your form, then they can send more than one person
the message, usually this is preset and users can't inject anything in here.
$subject this is a dangerous place to inject extra headers to, but could be
possible, newlines may cause that the sending of the mail fails and newlines
are a must to inject extra headers. It's enough to filter away newlines here,
if you allow users to set the subjects with drop down menu or text input.
$message is the body, any headers injected here will just appear as normal
text in the body of the mail.
$header is where the FROM-filed is usually put, here injecting extra headers
makes the spamming to work each time.
Now I don't know how you use the mail function, but if you have something like
this
mail('webmaster@example.net','User feedback',$message,$from);
then it's only $from that you need to run throe preprocessHeaderField(), if
you allow users to set subjects in some way, then I do suggest you at least use
$subject=str_replace(array("\r","\n"), '', $subject);
if you would be so mad and even allow users to set the $to, then I would run
that throe preprocessHeaderField() and then
$to=explode(",",$to);
$to=$to[0];
this would limit the sending to max one person at the time. But spammers will
most likely use scripts so they would just hit your webpage more.
If you give drop down menu options, never send the real used value as an
address, example to avoid is
<select name="to">
<option value="webmaster@example.net">Webmaster</option>
<option value="shooter@example.net">Shooter</option>
</select>
As you most likely then use that value directly to your mail(), which then
allows the spammer to just change the value to what ever e-mail address they
want to spam.
Use instead
<select name="to">
<option value="1">Webmaster</option>
<option value="2">Shooter</option>
</select>
Then have a switch function in the receiving script that picks up the value
switch($_REQUEST['to']) {
case 1:
$to="webmaster@example.net";
break;
case 2:
$to="shooter@example.net";
break;
default:
exit;
}
If the value is something else than you have defined, then a spammer tried to
spam and no point in sending the mail, of course you could make it nicer with
an error message, than just kill the script. The same applies for subjects you
pick from a drop down menu, don't send the subject in the value, just a value
and then pick the subject from a switch(), this way the subject can't be
misused, you could set the default: to wither exit or just "spam", this way
you can see the spam and have a proper subject for it too.
//Aho
Navigation:
[Reply to this message]
|