|
Posted by Jerry Stuckle on 10/27/07 21:11
Bill H wrote:
> I've changed our web site to use a simple PHP script to send a demo request
> to our sales office. We use Postfix and everything is set up properly and
> works fine. I've been informed there are some security issues to review.
>
> The script looks like:
>
> <html>
> <head><title>PHP Mail Sender</title></head>
> <body>
> <?php
>
> /* Pre-defined script variables. */
> /* $eol = "\r\n"; */
> $eol = "\n";
> $mailto = 'sales@mydomain.com';
> $mailfrom = 'webserver@mydomain.com';
> $subject = 'Company Demo Request';
>
> /* Initialize a clean array to replace $_POST with clean data */
> $name = $_POST['name'];
> $title = $_POST['name'];
> $company = $_POST['name'];
> $email = $_POST['name'];
> $phone = $_POST['name'];
> $message = $_POST['name'];
>
> /* Build HTML $salesmessage variable to pass to mail script */
> $salesmessage = "<HTML><HEAD></HEAD><BODY>" . $eol;
> $salesmessage .= "The following information comes from the company web
> site<BR>".$eol;
> $salesmessage .= "demonstration link.<BR><BR>".$eol;
> $salesmessage .= "<TABLE cols='2'>".$eol;
> $salesmessage .= "<TR><TD style='color:blue'>Company Name: </TD><TD>".
> $company ."</TD></TR>".$eol;
> $salesmessage .= "<TR><TD style='color:blue'>Contact Name: </TD><TD>".
> $name ."</TD></TR>".$eol;
> $salesmessage .= "<TR><TD style='color:blue'>Contact Title: </TD><TD>".
> $title ."</TD></TR>".$eol;
> $salesmessage .= "<TR><TD style='color:blue'>Contact Email: </TD><TD>".
> $email ."</TD></TR>".$eol;
> $salesmessage .= "<TR><TD style='color:blue'>Contact Phone: </TD><TD>".
> $phone ."</TD></TR>".$eol;
> $salesmessage .= "</TABLE><BR>" . $eol;
> $salesmessage .= $message . $eol;
> $salesmessage .= "</BODY></HTML>" . $eol;
>
> /* To send HTML mail, the Content-type header must be set */
> $headers = 'MIME-Version: 1.0' . $eol;
> $headers .= 'Content-type: text/html; charset=iso-8859-1' . $eol;
>
> /* Additional header information */
> $headers .= 'To: Sales <' . $mailto . '>' . $eol;
> $headers .= 'From: ' . 'AsiWeb <' . $mailfrom . '>' . $eol . $eol;
>
> /* PHP form validation: the script checks that the Email field contains a
> valid email address
> and the Subject field isn't empty. preg_match performs a regular
> expression match. It's a
> very powerful PHP function to validate form fields and other strings -
> see PHP manual for
> details. */
> if ($email == "") {
> echo "<script>alert('Invalid or missing email address')</script>";
> echo "<script>history.back(1)</script>";
> } elseif ($name == "") {
> echo "<script>alert('Invalid or missing name')</script>";
> echo "<script>history.back(1)</script>";
> } elseif ($company == "") {
> echo "<script>alert('Invalid or missing company')</script>";
> echo "<script>history.back(1)</script>";
>
> /* Sends the mail and outputs the "Thank you" string if the mail is
> successfully sent, or the
> error string otherwise. */
> } elseif (mail($mailto, $subject, $salesmessage, $headers)) {
> echo "<script>";
> echo "self.location='../demo_response.html';";
> echo "</script>";
> } else {
> echo "<script>alert('Cannot send email to $mailto')</script>";
> echo "<script>history.back(1)</script>";
> }
> ?>
> </body>
> </html>
>
> The main issue I'm wondering about is if I control the to and from address
> and header information for the mail, as I do above, is it possible to inject
> something else into the email to hijack the mail server?
>
> Thanks,
>
> Bill
>
>
>
Well, you're placing anything in the header which comes from the user
(i.e. from address, subject, etc.), so in that respect your script is safe.
However, just to be safe, you should verify the data input by the user.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
[Back to original message]
|