|
|
Posted by Justin Koivisto on 09/14/05 18:54
cmcnaught wrote:
> Hi,
> I have a form processing script which sends an email in response to a
> (separate) form submittal. All the input validation is done client
> side javascript. Recently the processing script has been hijacked by
> someone calling it with random email addresses in $_POST['email'] thus
> generating a lot of spurious email spam. I can think of a few ways to
> reduce the possibility of this but I'm posting this to see if I can get
> some ideas on the best way to secure. I'd like to check the processing
> page was called from the form page but I understand that
> $SERVER['HTTP_REFERER'] is not reliable. Hidden variables are easily
> revealed, I'm thinking of using a cookie or a session id. Any
> comments/ideas?
> cj
>
Just an FYI to anyone facing this problem as it is being spread quite
wide right now...
1. Do *all* your processing server-side.
2. Check all single-line text input values (from <input type="text">)
and remove any newline or carriage return characters [ie.
preg_replace('`[\r\n]`','',$input)]
3. Add an extra CRLF to the end of your headers when using mail:
mail($to,$subject,$headers."\r\n");
The extra line is to tell the smtp server that the end of the headers
section of the message has been reached, and should prevent additional
headers from being injected from the posted data.
Those are the first steps that you *should* do... now for some optional
stuff:
* For any multi-line inputs (<textarea>) scan for things like
"MIME-Version:" and "boundary=(.*)" if they are found, scan for the
value of the boundary. If the boundary value is found more than twice,
then kill the process. This prevents MIME emails from being generated
(there is *never* a reason to submit raw code like this) if the above 3
methods fail.
* Check for duplicate values in the posted data. (checkboxes or radio
buttons could be a source of legit duplicates as well as password or
email verification fields, etc.) If there are more duplicates than your
form would legitimately generate, kill the process.
* Before killing the process, log whatever information you can from the
request and send it to yourself (preferably in a log file somewhere) for
later inspection.
One other piece of advice - don't limit these techniques to just PHP,
*all* server-side code that sends user-submitted data should use these
precautions to prevent the spamming opportunities that could arise
otherwise.
--
Justin Koivisto, ZCE - justin@koivi.com
http://koivi.com
Navigation:
[Reply to this message]
|