You are here: Re: Securing an Email script « PHP Programming Language « IT news, forums, messages
Re: Securing an Email script

Posted by shimmyshack on 10/27/07 21:16

On Oct 27, 8:27 pm, "Sanders Kaufman" <bu...@kaufman.net> wrote:
> "Bill H" <some...@somedomain.com> wrote in message
>
> news:VradnVdP25-dFL7anZ2dnUVZ_rCtnZ2d@comcast.com...
>
> > I've changed our web site to use a simple PHP script to send a demo
> > request to our sales office. We use Postfix and everything is set up
> > properly and works fine. I've been informed there are some security
> > issues to review.
>
> Since you do ZERO checking on the values it's nothing BUT security issues.
> You should never pass user-submitted data to mail or data bases without
> validating it.
>
>
>
> > The script looks like:
>
> > <html>
> > <head><title>PHP Mail Sender</title></head>
> > <body>
> > <?php
>
> > /* Pre-defined script variables. */
> > /* $eol = "\r\n"; */
> > $eol = "\n";
> > $mailto = 'sa...@mydomain.com';
> > $mailfrom = 'webser...@mydomain.com';
> > $subject = 'Company Demo Request';
>
> > /* Initialize a clean array to replace $_POST with clean data */
> > $name = $_POST['name'];
> > $title = $_POST['name'];
> > $company = $_POST['name'];
> > $email = $_POST['name'];
> > $phone = $_POST['name'];
> > $message = $_POST['name'];
>
> > /* Build HTML $salesmessage variable to pass to mail script */
> > $salesmessage = "<HTML><HEAD></HEAD><BODY>" . $eol;
> > $salesmessage .= "The following information comes from the company web
> > site<BR>".$eol;
> > $salesmessage .= "demonstration link.<BR><BR>".$eol;
> > $salesmessage .= "<TABLE cols='2'>".$eol;
> > $salesmessage .= "<TR><TD style='color:blue'>Company Name:
> > </TD><TD>". $company ."</TD></TR>".$eol;
> > $salesmessage .= "<TR><TD style='color:blue'>Contact Name:
> > </TD><TD>". $name ."</TD></TR>".$eol;
> > $salesmessage .= "<TR><TD style='color:blue'>Contact Title:
> > </TD><TD>". $title ."</TD></TR>".$eol;
> > $salesmessage .= "<TR><TD style='color:blue'>Contact Email:
> > </TD><TD>". $email ."</TD></TR>".$eol;
> > $salesmessage .= "<TR><TD style='color:blue'>Contact Phone:
> > </TD><TD>". $phone ."</TD></TR>".$eol;
> > $salesmessage .= "</TABLE><BR>" . $eol;
> > $salesmessage .= $message . $eol;
> > $salesmessage .= "</BODY></HTML>" . $eol;
>
> > /* To send HTML mail, the Content-type header must be set */
> > $headers = 'MIME-Version: 1.0' . $eol;
> > $headers .= 'Content-type: text/html; charset=iso-8859-1' . $eol;
>
> > /* Additional header information */
> > $headers .= 'To: Sales <' . $mailto . '>' . $eol;
> > $headers .= 'From: ' . 'AsiWeb <' . $mailfrom . '>' . $eol . $eol;
>
> > /* PHP form validation: the script checks that the Email field contains a
> > valid email address
> > and the Subject field isn't empty. preg_match performs a regular
> > expression match. It's a
> > very powerful PHP function to validate form fields and other strings -
> > see PHP manual for
> > details. */
> > if ($email == "") {
> > echo "<script>alert('Invalid or missing email address')</script>";
> > echo "<script>history.back(1)</script>";
> > } elseif ($name == "") {
> > echo "<script>alert('Invalid or missing name')</script>";
> > echo "<script>history.back(1)</script>";
> > } elseif ($company == "") {
> > echo "<script>alert('Invalid or missing company')</script>";
> > echo "<script>history.back(1)</script>";
>
> > /* Sends the mail and outputs the "Thank you" string if the mail is
> > successfully sent, or the
> > error string otherwise. */
> > } elseif (mail($mailto, $subject, $salesmessage, $headers)) {
> > echo "<script>";
> > echo "self.location='../demo_response.html';";
> > echo "</script>";
> > } else {
> > echo "<script>alert('Cannot send email to $mailto')</script>";
> > echo "<script>history.back(1)</script>";
> > }
> > ?>
> > </body>
> > </html>
>
> > The main issue I'm wondering about is if I control the to and from address
> > and header information for the mail, as I do above, is it possible to
> > inject something else into the email to hijack the mail server?
>
> > Thanks,
>
> > Bill

On Oct 27, 8:27 pm, "Sanders Kaufman" <bu...@kaufman.net> wrote:
> "Bill H" <some...@somedomain.com> wrote in message
>
> news:VradnVdP25-dFL7anZ2dnUVZ_rCtnZ2d@comcast.com...
>
> > I've changed our web site to use a simple PHP script to send a demo
> > request to our sales office. We use Postfix and everything is set up
> > properly and works fine. I've been informed there are some security
> > issues to review.
>
> Since you do ZERO checking on the values it's nothing BUT security issues.
> You should never pass user-submitted data to mail or data bases without
> validating it.
>
>
>
> > The script looks like:
>
> > <html>
> > <head><title>PHP Mail Sender</title></head>
> > <body>
> > <?php
>
> > /* Pre-defined script variables. */
> > /* $eol = "\r\n"; */
> > $eol = "\n";
> > $mailto = 'sa...@mydomain.com';
> > $mailfrom = 'webser...@mydomain.com';
> > $subject = 'Company Demo Request';
>
> > /* Initialize a clean array to replace $_POST with clean data */
> > $name = $_POST['name'];
> > $title = $_POST['name'];
> > $company = $_POST['name'];
> > $email = $_POST['name'];
> > $phone = $_POST['name'];
> > $message = $_POST['name'];
>
> > /* Build HTML $salesmessage variable to pass to mail script */
> > $salesmessage = "<HTML><HEAD></HEAD><BODY>" . $eol;
> > $salesmessage .= "The following information comes from the company web
> > site<BR>".$eol;
> > $salesmessage .= "demonstration link.<BR><BR>".$eol;
> > $salesmessage .= "<TABLE cols='2'>".$eol;
> > $salesmessage .= "<TR><TD style='color:blue'>Company Name:
> > </TD><TD>". $company ."</TD></TR>".$eol;
> > $salesmessage .= "<TR><TD style='color:blue'>Contact Name:
> > </TD><TD>". $name ."</TD></TR>".$eol;
> > $salesmessage .= "<TR><TD style='color:blue'>Contact Title:
> > </TD><TD>". $title ."</TD></TR>".$eol;
> > $salesmessage .= "<TR><TD style='color:blue'>Contact Email:
> > </TD><TD>". $email ."</TD></TR>".$eol;
> > $salesmessage .= "<TR><TD style='color:blue'>Contact Phone:
> > </TD><TD>". $phone ."</TD></TR>".$eol;
> > $salesmessage .= "</TABLE><BR>" . $eol;
> > $salesmessage .= $message . $eol;
> > $salesmessage .= "</BODY></HTML>" . $eol;
>
> > /* To send HTML mail, the Content-type header must be set */
> > $headers = 'MIME-Version: 1.0' . $eol;
> > $headers .= 'Content-type: text/html; charset=iso-8859-1' . $eol;
>
> > /* Additional header information */
> > $headers .= 'To: Sales <' . $mailto . '>' . $eol;
> > $headers .= 'From: ' . 'AsiWeb <' . $mailfrom . '>' . $eol . $eol;
>
> > /* PHP form validation: the script checks that the Email field contains a
> > valid email address
> > and the Subject field isn't empty. preg_match performs a regular
> > expression match. It's a
> > very powerful PHP function to validate form fields and other strings -
> > see PHP manual for
> > details. */
> > if ($email == "") {
> > echo "<script>alert('Invalid or missing email address')</script>";
> > echo "<script>history.back(1)</script>";
> > } elseif ($name == "") {
> > echo "<script>alert('Invalid or missing name')</script>";
> > echo "<script>history.back(1)</script>";
> > } elseif ($company == "") {
> > echo "<script>alert('Invalid or missing company')</script>";
> > echo "<script>history.back(1)</script>";
>
> > /* Sends the mail and outputs the "Thank you" string if the mail is
> > successfully sent, or the
> > error string otherwise. */
> > } elseif (mail($mailto, $subject, $salesmessage, $headers)) {
> > echo "<script>";
> > echo "self.location='../demo_response.html';";
> > echo "</script>";
> > } else {
> > echo "<script>alert('Cannot send email to $mailto')</script>";
> > echo "<script>history.back(1)</script>";
> > }
> > ?>
> > </body>
> > </html>
>
> > The main issue I'm wondering about is if I control the to and from address
> > and header information for the mail, as I do above, is it possible to
> > inject something else into the email to hijack the mail server?
>
> > Thanks,
>
> > Bill

On Oct 27, 7:52 pm, "Bill H" <some...@somedomain.com> wrote:
> I've changed our web site to use a simple PHP script to send a demo request
> to our sales office. We use Postfix and everything is set up properly and
> works fine. I've been informed there are some security issues to review.
>
> The script looks like:
>
> <html>
> <head><title>PHP Mail Sender</title></head>
> <body>
> <?php
>
> /* Pre-defined script variables. */
> /* $eol = "\r\n"; */
> $eol = "\n";
> $mailto = 'sa...@mydomain.com';
> $mailfrom = 'webser...@mydomain.com';
> $subject = 'Company Demo Request';
>
> /* Initialize a clean array to replace $_POST with clean data */
> $name = $_POST['name'];
> $title = $_POST['name'];
> $company = $_POST['name'];
> $email = $_POST['name'];
> $phone = $_POST['name'];
> $message = $_POST['name'];
>
> /* Build HTML $salesmessage variable to pass to mail script */
> $salesmessage = "<HTML><HEAD></HEAD><BODY>" . $eol;
> $salesmessage .= "The following information comes from the company web
> site<BR>".$eol;
> $salesmessage .= "demonstration link.<BR><BR>".$eol;
> $salesmessage .= "<TABLE cols='2'>".$eol;
> $salesmessage .= "<TR><TD style='color:blue'>Company Name: </TD><TD>".
> $company ."</TD></TR>".$eol;
> $salesmessage .= "<TR><TD style='color:blue'>Contact Name: </TD><TD>".
> $name ."</TD></TR>".$eol;
> $salesmessage .= "<TR><TD style='color:blue'>Contact Title: </TD><TD>".
> $title ."</TD></TR>".$eol;
> $salesmessage .= "<TR><TD style='color:blue'>Contact Email: </TD><TD>".
> $email ."</TD></TR>".$eol;
> $salesmessage .= "<TR><TD style='color:blue'>Contact Phone: </TD><TD>".
> $phone ."</TD></TR>".$eol;
> $salesmessage .= "</TABLE><BR>" . $eol;
> $salesmessage .= $message . $eol;
> $salesmessage .= "</BODY></HTML>" . $eol;
>
> /* To send HTML mail, the Content-type header must be set */
> $headers = 'MIME-Version: 1.0' . $eol;
> $headers .= 'Content-type: text/html; charset=iso-8859-1' . $eol;
>
> /* Additional header information */
> $headers .= 'To: Sales <' . $mailto . '>' . $eol;
> $headers .= 'From: ' . 'AsiWeb <' . $mailfrom . '>' . $eol . $eol;
>
> /* PHP form validation: the script checks that the Email field contains a
> valid email address
> and the Subject field isn't empty. preg_match performs a regular
> expression match. It's a
> very powerful PHP function to validate form fields and other strings -
> see PHP manual for
> details. */
> if ($email == "") {
> echo "<script>alert('Invalid or missing email address')</script>";
> echo "<script>history.back(1)</script>";
> } elseif ($name == "") {
> echo "<script>alert('Invalid or missing name')</script>";
> echo "<script>history.back(1)</script>";
> } elseif ($company == "") {
> echo "<script>alert('Invalid or missing company')</script>";
> echo "<script>history.back(1)</script>";
>
> /* Sends the mail and outputs the "Thank you" string if the mail is
> successfully sent, or the
> error string otherwise. */
> } elseif (mail($mailto, $subject, $salesmessage, $headers)) {
> echo "<script>";
> echo "self.location='../demo_response.html';";
> echo "</script>";
> } else {
> echo "<script>alert('Cannot send email to $mailto')</script>";
> echo "<script>history.back(1)</script>";
> }
> ?>
> </body>
> </html>
>
> The main issue I'm wondering about is if I control the to and from address
> and header information for the mail, as I do above, is it possible to inject
> something else into the email to hijack the mail server?
>
> Thanks,
>
> Bill

even a 10second glance reveals a few issues
cross site scripting.
header injection may be possible
use of \n\n rather than \r\n

im not sure where your "powerful validate occurs" but its not in this
script as you make no attempt to use regular expressions.

Oh and in case youre wondering - why would I perform regular
expression validation on a mailto address I control - this is a demo
right, how will you ask the user to put in a valid email address, or
any other data. You will of course have to use some kind of
validation.

My recommendation is to use a prewritten class to send emails - check
out Zend, or some other framework for some (more) secure scripts,
rolling your own should only be done when you think you can improve on
the work of others with years of experience - often learned the hard
way! The last thing you want is to have your email server blacklisted.

if you use a secure class you script will look something like

$email->setTo( $mailto );
$email->setFrom( $mailto );
$email->setMsg( $mailto );
if( !$email->send() )
{
echo 'it wasnt sent';
}
else
{
echo 'it was';
}

the prevention of injection occurs elsewhere, but do not repeat your
mistake of echoing back to the screen what the user has input unless
you use htmlentities or some other filtering on the input.

Or else a user can use this to take control of your webpages, this is
the XSS I was talking about. This is pretty much rule number 1 of
server side coding with forms, since you go on to send emails, I think
perhaps you should check out WASC webpages to see the complexity of
decent secure dynamic pages before you get into hot water.

 

Navigation:

[Reply to this message]
Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация