|
|
Posted by Steve on 02/28/07 19:20
"J.O. Aho" <user@example.net> wrote in message
news:54lvp3F211sdiU1@mid.individual.net...
| rcoan@chaparralboats.com wrote:
| >>> You form as it stands can
| >>> be used to spam anyone.
| >
| > Actually I don't really see a way of it being used to send spam to
| > anyone really. Unless they actually key in the query string. The
| > email address that's being passed via the query string is from a
| > database of email addresses that are location specific. In other
| > words these people are expecting the emails and for there to be some
| > junk mail possibly. So I'm not too worried about the spam issue as of
| > right now but I will keep an eye out for it. Thanks.
|
| The problem is if you allow people send a "From" address with the form,
| as there isn't any real from argument in the mail function, you are
| instead using the mail header directly and then you can add other things
| like bcc/cc to the header and that way send out mail to more than one
| person at the time.
|
| It don't hurt to check all variables used in the mail function, if
| detecting header injection, then abort the mailing (easy check is to
| compare the size of the variable before and after removing all \r\n, if
| the same no header injection was attempted, otherwise it's a try to spam).
easy yes, but secure no. it is best to not take half measures when
programming anything, especially security. something like this is a far more
appropriate step:
$emailInput = array($to, $from, $cc, $bcc, $subject, $message);
$injections = array('to', 'from', 'cc', 'bcc');
foreach ($emailInput as $input)
{
foreach ($injections as $injection)
{
$input = preg_replace("/n?" . $injection . "\s*?:.*?\n/i", '', $input);
}
}
now you have a configurable, manageable means of stripping out malicious
header content by the input(s) supplied...just by changing either/both
arrays. the emailInput array is normally just going to have a subject and a
message/comment that has to be analysed.
cheers
Navigation:
[Reply to this message]
|