You are here: Re: [PHP] Mail Injection- Which Mail function Parameters CORRECTED « PHP « IT news, forums, messages
Re: [PHP] Mail Injection- Which Mail function Parameters CORRECTED

Posted by Curt Zirzow on 11/18/05 10:11

On Fri, Nov 18, 2005 at 05:06:36PM -0800, Ligaya Turmelle wrote:
>
> >$message - yes
> >---------------
> >This usually can go without any special escaping, unless you have
> >certain headers (the Boundary: header) or allow an injection into
> >the $additional_headers field. If this is the case a malicious
> >user could attach a virus to be sent anonymously.
>
> Shouldn't you also worry about html script tags in the body of an HTML
> email? Couldn't a person also use those to send you a nasty "present"?

This is more of a second hand issue, but still valid nonetheless.
Depending on the client that sees the email and the context the
email was sent in, for example:

It is a rather common thing to send two parts, one just plain text
and another one with markup (usually html), and depending on how
the client reads things and displays it to the user, the outcome
could be lead to problems.

I usually use the Boundary: header as a good example of how one
could take advantage of non-escaped data, but that doesn't protect
someone from sending some well formed message that might perhaps
do some phishing type thing.


>
> >
> >$additional_headers - yes
> >-------------------------
> >As with $to, $subject you need to make sure \r and/or \n are
> >removed or escaped properly. The most common used header is the
> >>From header:
> >
> > From: "$fromname" <$fromemail>
> >
> >As noted in the $message section, if you have dont take care in
> >ensuring this paramater isn't done correctly you could potentially
> >allow the user to setup their own Boundary: header, which then
> >would allow them to freely make what ever attachments they like.
> >
> >Also this is where the open (well psudo open) relay occurs, if you
> >dont filter things properly, you can open up the CC: and BCC:
> >headers, allowing the person to anonymously send emails.
>
> why would a person allow a user to input header information on a web
> form? That sounds like a HUGE security hole or is there someway I just
> can't see?

The thing is that they dont realize that it is being allowed. If i
dont protect the variable $fromname from the ability to allow a
\n or \r\n someone could send me that results with:

$_POST['fromname'] == "your friend\" <me@a.com>\r\nBCC: [a list of peoplel]\r\nNull: \"";

Resulting in:

From: "your friend" <me@a.com>
BCC: [a list of people]
Null: "" <thefromemail>


and if I want to be tricky i'd slip in a coupld Recieved: headers
to throw off people the hint of what route the message took. Or
mabey another Subject: header to by pass the previous rules on
subject so I can get the subject I want.


Curt.
--
null

 

Navigation:

[Reply to this message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация