|
|
Posted by DVH on 11/01/07 18:25
Hi,
I've a script that sends mail from my site.
I've included a regexp which should return 403 forbidden if you try to
hijack it and send to another address.
How can I test to make sure it works? E.g. can I try to spoof it to send
mail to my other e-mail address?
Thanks for your help.
The script is:
<?php
$mailto = 'dvh@example.com' ;
$subject = "newsletter signup" ;
$formurl = "http://www.example.com/index.html" ;
$errorurl = "http://www.example.com/signuperror.html" ;
$thankyouurl = "http://www.example.com/signed.html" ;
$uself = 0;
$headersep = (!isset( $uself ) || ($uself == 0)) ? "\r\n" : "\n" ;
$name = $_POST['name'] ;
$email = $_POST['email'] ;
$comments = $_POST['comments'] ;
$http_referrer = getenv( "HTTP_REFERER" );
if (!isset($_POST['email'])) {
header( "Location: $formurl" );
exit ;
}
if (empty($name) || empty($email) || empty($comments)) {
header( "Location: $errorurl" );
exit ;
}
if ( ereg( "[\r\n]", $name ) || ereg( "[\r\n]", $email ) ) {
header( "Location: $errorurl" );
exit ;
}
if (get_magic_quotes_gpc()) {
$comments = stripslashes( $comments );
}
if (!eregi('^[-A-Za-z0-9_]+@(example.com)$', $mailto)) {
header('HTTP/1.0 403 Forbidden');
die('Access denied.');
}
$messageproper =
"This message was sent from:\n" .
"$http_referrer\n" .
"------------------------------------------------------------\n" .
"Name of sender: $name\n" .
"Email of sender: $email\n" .
"------------------------- COMMENTS -------------------------\n\n" .
$comments .
"\n\n------------------------------------------------------------\n" ;
mail($mailto, $subject, $messageproper,
"From: \"$name\" <$email>" . $headersep . "Reply-To: \"$name\" <$email>" .
$headersep . "X-Mailer:
chfeedback.php 2.08" );
header( "Location: $thankyouurl" );
exit ;
?>
Navigation:
[Reply to this message]
|