|
Posted by Gordon Burditt on 10/08/67 11:26
>I have a form processing script which sends an email in response to a
>(separate) form submittal. All the input validation is done client
>side javascript.
In other words, there *IS NO* input validation for anyone who
wants to get around it. Presumably that also means your database
is subject to a SQL injection attack.
>Recently the processing script has been hijacked by
>someone calling it with random email addresses in $_POST['email'] thus
>generating a lot of spurious email spam. I can think of a few ways to
>reduce the possibility of this but I'm posting this to see if I can get
>some ideas on the best way to secure. I'd like to check the processing
>page was called from the form page but I understand that
>$SERVER['HTTP_REFERER'] is not reliable.
It still may be better than nothing, unless it prevents legitimate
users from using your site (which it might if you implement checks).
>Hidden variables are easily
>revealed, I'm thinking of using a cookie or a session id. Any
>comments/ideas?
Use server-side checks for security issues (and form abuse is a
security issue). That doesn't mean you can't use Javascript also
for friendlier user interface to explain the error better and
give more immediate feedback.
If your form can send mail to the same user-supplied (via the form)
email address more than once a day (or week), you're part of the
SPAM (mailbombing) problem. (That means you need to keep track of
the time of the last-sent email to each address.)
If your form allows the user to specify mail headers that aren't
checked for nasty characters (like newlines) you're part of the
SPAM problem, as many spammers like to specify a return address
like:
me@spam.com\nBcc: a@aol.com, b@aol.com, c@aol.com, d@aol.com ...
which allows sending out a lot of spam with one email, and further,
any nice text you put in about your site makes it look like YOU
are signing the SPAM!
It isn't that difficult to write a script using CURL or some similar
package to visit your page, find the link to the mail form (thereby
defeating time-sensitive GET, POST, and COOKIE variables), fetch
that link (returning cookies as needed), then effectively submitting
the form. Oh, yes, it can set REFERER, too. I've done this a
couple of times where I wanted to retrieve something automatically,
and it required me to log in (although I do have a legitimate login
for the site, and the decision of when to fetch is manual and not
very often, so I'm not hammering the site).
Sessions that time out relatively quickly (e.g. an hour or so) make
the spammers work harder at abusing your site.
Gordon L. Burditt
Navigation:
[Reply to this message]
|