|
|
Posted by Sanders Kaufman on 10/27/07 19:27
"Bill H" <someone@somedomain.com> wrote in message
news:VradnVdP25-dFL7anZ2dnUVZ_rCtnZ2d@comcast.com...
> I've changed our web site to use a simple PHP script to send a demo
> request to our sales office. We use Postfix and everything is set up
> properly and works fine. I've been informed there are some security
> issues to review.
Since you do ZERO checking on the values it's nothing BUT security issues.
You should never pass user-submitted data to mail or data bases without
validating it.
>
> The script looks like:
>
> <html>
> <head><title>PHP Mail Sender</title></head>
> <body>
> <?php
>
> /* Pre-defined script variables. */
> /* $eol = "\r\n"; */
> $eol = "\n";
> $mailto = 'sales@mydomain.com';
> $mailfrom = 'webserver@mydomain.com';
> $subject = 'Company Demo Request';
>
> /* Initialize a clean array to replace $_POST with clean data */
> $name = $_POST['name'];
> $title = $_POST['name'];
> $company = $_POST['name'];
> $email = $_POST['name'];
> $phone = $_POST['name'];
> $message = $_POST['name'];
>
> /* Build HTML $salesmessage variable to pass to mail script */
> $salesmessage = "<HTML><HEAD></HEAD><BODY>" . $eol;
> $salesmessage .= "The following information comes from the company web
> site<BR>".$eol;
> $salesmessage .= "demonstration link.<BR><BR>".$eol;
> $salesmessage .= "<TABLE cols='2'>".$eol;
> $salesmessage .= "<TR><TD style='color:blue'>Company Name:
> </TD><TD>". $company ."</TD></TR>".$eol;
> $salesmessage .= "<TR><TD style='color:blue'>Contact Name:
> </TD><TD>". $name ."</TD></TR>".$eol;
> $salesmessage .= "<TR><TD style='color:blue'>Contact Title:
> </TD><TD>". $title ."</TD></TR>".$eol;
> $salesmessage .= "<TR><TD style='color:blue'>Contact Email:
> </TD><TD>". $email ."</TD></TR>".$eol;
> $salesmessage .= "<TR><TD style='color:blue'>Contact Phone:
> </TD><TD>". $phone ."</TD></TR>".$eol;
> $salesmessage .= "</TABLE><BR>" . $eol;
> $salesmessage .= $message . $eol;
> $salesmessage .= "</BODY></HTML>" . $eol;
>
> /* To send HTML mail, the Content-type header must be set */
> $headers = 'MIME-Version: 1.0' . $eol;
> $headers .= 'Content-type: text/html; charset=iso-8859-1' . $eol;
>
> /* Additional header information */
> $headers .= 'To: Sales <' . $mailto . '>' . $eol;
> $headers .= 'From: ' . 'AsiWeb <' . $mailfrom . '>' . $eol . $eol;
>
> /* PHP form validation: the script checks that the Email field contains a
> valid email address
> and the Subject field isn't empty. preg_match performs a regular
> expression match. It's a
> very powerful PHP function to validate form fields and other strings -
> see PHP manual for
> details. */
> if ($email == "") {
> echo "<script>alert('Invalid or missing email address')</script>";
> echo "<script>history.back(1)</script>";
> } elseif ($name == "") {
> echo "<script>alert('Invalid or missing name')</script>";
> echo "<script>history.back(1)</script>";
> } elseif ($company == "") {
> echo "<script>alert('Invalid or missing company')</script>";
> echo "<script>history.back(1)</script>";
>
> /* Sends the mail and outputs the "Thank you" string if the mail is
> successfully sent, or the
> error string otherwise. */
> } elseif (mail($mailto, $subject, $salesmessage, $headers)) {
> echo "<script>";
> echo "self.location='../demo_response.html';";
> echo "</script>";
> } else {
> echo "<script>alert('Cannot send email to $mailto')</script>";
> echo "<script>history.back(1)</script>";
> }
> ?>
> </body>
> </html>
>
> The main issue I'm wondering about is if I control the to and from address
> and header information for the mail, as I do above, is it possible to
> inject something else into the email to hijack the mail server?
>
> Thanks,
>
> Bill
>
Navigation:
[Reply to this message]
|