|
|
Posted by Jerry Stuckle on 10/28/07 21:18
Bill H wrote:
> "Jerry Stuckle" <jstucklex@attglobal.net> wrote in message
> news:CNCdnTTVatATNL7anZ2dnUVZ_r2nnZ2d@comcast.com...
>> Bill H wrote:
>>> I've changed our web site to use a simple PHP script to send a demo
>>> request to our sales office. We use Postfix and everything is set up
>>> properly and works fine. I've been informed there are some security
>>> issues to review.
>>>
>>> The script looks like:
>>>
>>> <html>
>>> <head><title>PHP Mail Sender</title></head>
>>> <body>
>>> <?php
>>>
>
> [snipped]
>
>>> }
>>> ?>
>>> </body>
>>> </html>
>>>
>>> The main issue I'm wondering about is if I control the to and from
>>> address and header information for the mail, as I do above, is it
>>> possible to inject something else into the email to hijack the mail
>>> server?
>>>
>>> Thanks,
>>>
>>> Bill
>> Well, you're placing anything in the header which comes from the user
>> (i.e. from address, subject, etc.), so in that respect your script is
>> safe.
>>
>> However, just to be safe, you should verify the data input by the user.
>>
>
>
> Jerry:
>
> I'm not sure I understand the responses. It appears:
>
> 1) the script is safe because no user input is used in the header.
> 2) the script is safe because no user data is passed into the script or
> database,
> 3) javascript shouldn't be used as an error trapping technique,
although it
> is safe
>
> I don't validate the user input because I don't really care if the
input is
> valid or not; almost everyone who use the page gives good information
since
> they're asking us for something.
>
> So, the script is safe but it would be wise to hire someone to build a
> better script with proper error handling. Is this about correct?
>
> Thanks,
>
> Bill
>
(Top posting fixed)
It is safe in that it can't be used to spam because no user input is in
the header. But you do have user data passed to the email, and without
validation it is dangerous.
Your CUSTOMERS use it to give good information. But hackers could use
it to potentially upload trojans or viruses to your system. In that
respect it is very unsafe. And spammers can use it to spam your personnel.
NEVER trust user input!
And please don't top post. Thanks.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
[Back to original message]
|