|
|
Posted by J.O. Aho on 02/27/06 03:38
LAshooter wrote:
> I've seen a number of sites talking about how easy it is to use mail
> injection to compromise PHP mail forms, but I'm not having any luck finding
> an "easy" way to block this. Is there a script or class that can be
> implemented to secure basic feedback forms?
What you need to do is to remove Bcc: and Cc: from the header or see to that,
these are usually added to the "From:" part of the form, as this is the mail
header part in mail().
Say you have a form with a input field where the user can enter their e-mail
address, instead of just doing that, they add other header information, eg
silly@example.net \r\n Cc: wespam@example.com \r\n
The thing that people usually do is to use post values directly in the mail()
function, eg
$from = $_POST['from'] . "\r\n";
mail('me@example.net',$subject,$message,$from);
now using that $from in mail will make the mail to be Cc:ed to
wespam@example.com too.
A quite simple protection could be to use
$from = eregi_replace("\r\n","",$_POST['from']) ."\r\n";
mail('me@example.net',$subject,$message,$from);
This ensure you have one long row with the junk that the spammer added in the
from:. Better is of course to move the from: to the message instead
$from = eregi_replace("\r\n","",$_POST['from']) ."\n";
mail('me@example.net',$subject,"This mail is from: ".$from.$message);
If you want to reply, it's quite simple to cut and past the mail address from
the message to the To: in your mail client and you get less risk for the
injection.
You can look at the user comments for the mail() function
http://www.php.net/manual/en/function.mail.php
//Aho
Navigation:
[Reply to this message]
|