Posted by Brendan Gillatt on 11/01/07 19:23

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

DVH wrote:
> Hi,
>
> I've a script that sends mail from my site.
>
> I've included a regexp which should return 403 forbidden if you try to
> hijack it and send to another address.
>
> How can I test to make sure it works? E.g. can I try to spoof it to send
> mail to my other e-mail address?
>
> Thanks for your help.
>
> The script is:
>
> <?php
>
>
> $mailto = 'dvh@example.com' ;
>
>
> $subject = "newsletter signup" ;
>
> $formurl = "http://www.example.com/index.html" ;
> $errorurl = "http://www.example.com/signuperror.html" ;
> $thankyouurl = "http://www.example.com/signed.html" ;
>
> $uself = 0;
>
> $headersep = (!isset( $uself ) || ($uself == 0)) ? "\r\n" : "\n" ;
> $name = $_POST['name'] ;
> $email = $_POST['email'] ;
> $comments = $_POST['comments'] ;
> $http_referrer = getenv( "HTTP_REFERER" );
>
> if (!isset($_POST['email'])) {
> header( "Location: $formurl" );
> exit ;
> }
> if (empty($name) || empty($email) || empty($comments)) {
> header( "Location: $errorurl" );
> exit ;
> }
> if ( ereg( "[\r\n]", $name ) || ereg( "[\r\n]", $email ) ) {
> header( "Location: $errorurl" );
> exit ;
> }
>
> if (get_magic_quotes_gpc()) {
> $comments = stripslashes( $comments );
> }
>
> if (!eregi('^[-A-Za-z0-9_]+@(example.com)$', $mailto)) {
> header('HTTP/1.0 403 Forbidden');
> die('Access denied.');
> }
>
>
> $messageproper =
>
> "This message was sent from:\n" .
> "$http_referrer\n" .
> "------------------------------------------------------------\n" .
> "Name of sender: $name\n" .
> "Email of sender: $email\n" .
> "------------------------- COMMENTS -------------------------\n\n" .
> $comments .
> "\n\n------------------------------------------------------------\n" ;
>
> mail($mailto, $subject, $messageproper,
> "From: \"$name\" <$email>" . $headersep . "Reply-To: \"$name\" <$email>" .
> $headersep . "X-Mailer:
>
> chfeedback.php 2.08" );
> header( "Location: $thankyouurl" );
> exit ;
>
> ?>
>
>

You _must_ check for newlines in form to e-mail scripts. If not, a
malicious user can add their own headers.

- --
Brendan Gillatt
brendan {at} brendangillatt {dot} co {dot} uk
http://www.brendangillatt.co.uk
PGP Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xBACD7433
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (MingW32)

iD8DBQFHKieokA9dCbrNdDMRAkxRAKDKg/lgihg2TDL0jRzd7A9PXA8ZrQCdHyjo
DR9g97F30LDbwK4nhCAJ9aU=
=XDYz
-----END PGP SIGNATURE-----

• Next in forum: Re: how to create 'remember login' functionality during login
• Prev in forum: Re: how to create 'remember login' functionality during login
• Thread view: Re: Spamproofing a send mail script

[Reply to this message]