|
|
Posted by Miguel Cruz on 08/07/06 14:24
stirrell@integrastrategic.com wrote:
> You're right - I probably am checking more than I need to but I figured
> it didn't hurt to check those inputs and I was trying to make sure I
> wasn't missing anything. Here is a copy of the message from the
> bounceback that I got from the server. To me, it looks like a
> successful injection attempt.
Does look suspiciously that way.
> // Send the email
> $subject = "Inquiry from Web site: $_POST[topic]";
> if (strlen($_POST[userName]) > 0) {
> $message .= "Name: $_POST[userName]\n";
> } // end of if
> if (strlen($_POST[address]) > 0) {
> $message .= "Address: $_POST[address]\n";
> } // end of if
> if (strlen($_POST[address2]) > 0) {
> $message .= "Address 2: $_POST[address2]\n";
> } // end of if
> if (strlen($_POST[city]) > 0) {
> $message .= "Name: $_POST[city]\n";
> } // end of if
> if (strlen($_POST[state]) > 0) {
> $message .= "State: $_POST[state]\n";
> } // end of if
> if (strlen($_POST[zip]) > 0) {
> $message .= "Zip: $_POST[zip]\n";
> } // end of if
> if (strlen($_POST[phone]) > 0) {
> $message .= "Phone: $_POST[phone]\n\n";
> } // end of if
> if (strlen($_POST[comments]) > 0) {
> $message .= "Comments: ".str_replace("\r", "",
> $_POST[comments])."\n";
> } // end of if
> if (strlen($_POST[email]) > 0) {
> $from = "$_POST[userName] <$_POST[email]>";
> } // end of if
> else {
> $from = "Website <info@website.com>";
> } // end of else
> $message = stripslashes($message);
> mail ("info@website.com", $subject, $message, "From: ".$from);
>
> So, the from is created via the userName and email variables which are
> checked with the injection check. Can anyone see a flaw that would
> allow someone to create an email like the one that bounced back?
I think you could make life much simpler by just doing this, and only
leaving in the characters you know are safe and useful for names and
email addresses, and trimming each down to 50 characters for good
measure:
function clean_header_data($str)
{
return substr(preg_replace('/[^\w .@+\-]/', '', $str), 0, 50);
}
Then you can do
$from = clean_header_data($_POST['userName']) . ' <' .
clean_header_data($_POST['email']) . '>';
Likewise do it with $subject because $_POST['topic'] is untrustworthy.
After that there's very little way for anything to sneak through.
--
Photos from 40 countries on 5 continents: http://travel.u.nu
Latest photos: Malaysia; Thailand; Singapore; Spain; Morocco
Airports of the world: http://airport.u.nu
[Back to original message]
|