Posted by Steve on 10/29/07 19:04

"shimmyshack" <matt.farey@gmail.com> wrote in message
news:1193519779.915072.181330@v3g2000hsg.googlegroups.com...
> On Oct 27, 8:27 pm, "Sanders Kaufman" <bu...@kaufman.net> wrote:
>> "Bill H" <some...@somedomain.com> wrote in message
>>
>> news:VradnVdP25-dFL7anZ2dnUVZ_rCtnZ2d@comcast.com...
>>
>> > I've changed our web site to use a simple PHP script to send a demo
>> > request to our sales office. We use Postfix and everything is set up
>> > properly and works fine. I've been informed there are some security
>> > issues to review.
>>
>> Since you do ZERO checking on the values it's nothing BUT security
>> issues.
>> You should never pass user-submitted data to mail or data bases without
>> validating it.
>>
>>
>>
>> > The script looks like:
>>
>> > <html>
>> > <head><title>PHP Mail Sender</title></head>
>> > <body>
>> > <?php
>>
>> > /* Pre-defined script variables. */
>> > /* $eol = "\r\n"; */
>> > $eol = "\n";
>> > $mailto = 'sa...@mydomain.com';
>> > $mailfrom = 'webser...@mydomain.com';
>> > $subject = 'Company Demo Request';
>>
>> > /* Initialize a clean array to replace $_POST with clean data */
>> > $name = $_POST['name'];
>> > $title = $_POST['name'];
>> > $company = $_POST['name'];
>> > $email = $_POST['name'];
>> > $phone = $_POST['name'];
>> > $message = $_POST['name'];
>>
>> > /* Build HTML $salesmessage variable to pass to mail script */
>> > $salesmessage = "<HTML><HEAD></HEAD><BODY>" . $eol;
>> > $salesmessage .= "The following information comes from the company
>> > web
>> > site<BR>".$eol;
>> > $salesmessage .= "demonstration link.<BR><BR>".$eol;
>> > $salesmessage .= "<TABLE cols='2'>".$eol;
>> > $salesmessage .= "<TR><TD style='color:blue'>Company Name:
>> > </TD><TD>". $company ."</TD></TR>".$eol;
>> > $salesmessage .= "<TR><TD style='color:blue'>Contact Name:
>> > </TD><TD>". $name ."</TD></TR>".$eol;
>> > $salesmessage .= "<TR><TD style='color:blue'>Contact Title:
>> > </TD><TD>". $title ."</TD></TR>".$eol;
>> > $salesmessage .= "<TR><TD style='color:blue'>Contact Email:
>> > </TD><TD>". $email ."</TD></TR>".$eol;
>> > $salesmessage .= "<TR><TD style='color:blue'>Contact Phone:
>> > </TD><TD>". $phone ."</TD></TR>".$eol;
>> > $salesmessage .= "</TABLE><BR>" . $eol;
>> > $salesmessage .= $message . $eol;
>> > $salesmessage .= "</BODY></HTML>" . $eol;
>>
>> > /* To send HTML mail, the Content-type header must be set */
>> > $headers = 'MIME-Version: 1.0' . $eol;
>> > $headers .= 'Content-type: text/html; charset=iso-8859-1' . $eol;
>>
>> > /* Additional header information */
>> > $headers .= 'To: Sales <' . $mailto . '>' . $eol;
>> > $headers .= 'From: ' . 'AsiWeb <' . $mailfrom . '>' . $eol . $eol;
>>
>> > /* PHP form validation: the script checks that the Email field contains
>> > a
>> > valid email address
>> > and the Subject field isn't empty. preg_match performs a regular
>> > expression match. It's a
>> > very powerful PHP function to validate form fields and other
>> > strings -
>> > see PHP manual for
>> > details. */
>> > if ($email == "") {
>> > echo "<script>alert('Invalid or missing email
>> > address')</script>";
>> > echo "<script>history.back(1)</script>";
>> > } elseif ($name == "") {
>> > echo "<script>alert('Invalid or missing name')</script>";
>> > echo "<script>history.back(1)</script>";
>> > } elseif ($company == "") {
>> > echo "<script>alert('Invalid or missing company')</script>";
>> > echo "<script>history.back(1)</script>";
>>
>> > /* Sends the mail and outputs the "Thank you" string if the mail is
>> > successfully sent, or the
>> > error string otherwise. */
>> > } elseif (mail($mailto, $subject, $salesmessage, $headers)) {
>> > echo "<script>";
>> > echo "self.location='../demo_response.html';";
>> > echo "</script>";
>> > } else {
>> > echo "<script>alert('Cannot send email to $mailto')</script>";
>> > echo "<script>history.back(1)</script>";
>> > }
>> > ?>
>> > </body>
>> > </html>
>>
>> > The main issue I'm wondering about is if I control the to and from
>> > address
>> > and header information for the mail, as I do above, is it possible to
>> > inject something else into the email to hijack the mail server?
>>
>> > Thanks,
>>
>> > Bill
>
> On Oct 27, 8:27 pm, "Sanders Kaufman" <bu...@kaufman.net> wrote:
>> "Bill H" <some...@somedomain.com> wrote in message
>>
>> news:VradnVdP25-dFL7anZ2dnUVZ_rCtnZ2d@comcast.com...
>>
>> > I've changed our web site to use a simple PHP script to send a demo
>> > request to our sales office. We use Postfix and everything is set up
>> > properly and works fine. I've been informed there are some security
>> > issues to review.
>>
>> Since you do ZERO checking on the values it's nothing BUT security
>> issues.
>> You should never pass user-submitted data to mail or data bases without
>> validating it.
>>
>>
>>
>> > The script looks like:
>>
>> > <html>
>> > <head><title>PHP Mail Sender</title></head>
>> > <body>
>> > <?php
>>
>> > /* Pre-defined script variables. */
>> > /* $eol = "\r\n"; */
>> > $eol = "\n";
>> > $mailto = 'sa...@mydomain.com';
>> > $mailfrom = 'webser...@mydomain.com';
>> > $subject = 'Company Demo Request';
>>
>> > /* Initialize a clean array to replace $_POST with clean data */
>> > $name = $_POST['name'];
>> > $title = $_POST['name'];
>> > $company = $_POST['name'];
>> > $email = $_POST['name'];
>> > $phone = $_POST['name'];
>> > $message = $_POST['name'];
>>
>> > /* Build HTML $salesmessage variable to pass to mail script */
>> > $salesmessage = "<HTML><HEAD></HEAD><BODY>" . $eol;
>> > $salesmessage .= "The following information comes from the company
>> > web
>> > site<BR>".$eol;
>> > $salesmessage .= "demonstration link.<BR><BR>".$eol;
>> > $salesmessage .= "<TABLE cols='2'>".$eol;
>> > $salesmessage .= "<TR><TD style='color:blue'>Company Name:
>> > </TD><TD>". $company ."</TD></TR>".$eol;
>> > $salesmessage .= "<TR><TD style='color:blue'>Contact Name:
>> > </TD><TD>". $name ."</TD></TR>".$eol;
>> > $salesmessage .= "<TR><TD style='color:blue'>Contact Title:
>> > </TD><TD>". $title ."</TD></TR>".$eol;
>> > $salesmessage .= "<TR><TD style='color:blue'>Contact Email:
>> > </TD><TD>". $email ."</TD></TR>".$eol;
>> > $salesmessage .= "<TR><TD style='color:blue'>Contact Phone:
>> > </TD><TD>". $phone ."</TD></TR>".$eol;
>> > $salesmessage .= "</TABLE><BR>" . $eol;
>> > $salesmessage .= $message . $eol;
>> > $salesmessage .= "</BODY></HTML>" . $eol;
>>
>> > /* To send HTML mail, the Content-type header must be set */
>> > $headers = 'MIME-Version: 1.0' . $eol;
>> > $headers .= 'Content-type: text/html; charset=iso-8859-1' . $eol;
>>
>> > /* Additional header information */
>> > $headers .= 'To: Sales <' . $mailto . '>' . $eol;
>> > $headers .= 'From: ' . 'AsiWeb <' . $mailfrom . '>' . $eol . $eol;
>>
>> > /* PHP form validation: the script checks that the Email field contains
>> > a
>> > valid email address
>> > and the Subject field isn't empty. preg_match performs a regular
>> > expression match. It's a
>> > very powerful PHP function to validate form fields and other
>> > strings -
>> > see PHP manual for
>> > details. */
>> > if ($email == "") {
>> > echo "<script>alert('Invalid or missing email
>> > address')</script>";
>> > echo "<script>history.back(1)</script>";
>> > } elseif ($name == "") {
>> > echo "<script>alert('Invalid or missing name')</script>";
>> > echo "<script>history.back(1)</script>";
>> > } elseif ($company == "") {
>> > echo "<script>alert('Invalid or missing company')</script>";
>> > echo "<script>history.back(1)</script>";
>>
>> > /* Sends the mail and outputs the "Thank you" string if the mail is
>> > successfully sent, or the
>> > error string otherwise. */
>> > } elseif (mail($mailto, $subject, $salesmessage, $headers)) {
>> > echo "<script>";
>> > echo "self.location='../demo_response.html';";
>> > echo "</script>";
>> > } else {
>> > echo "<script>alert('Cannot send email to $mailto')</script>";
>> > echo "<script>history.back(1)</script>";
>> > }
>> > ?>
>> > </body>
>> > </html>
>>
>> > The main issue I'm wondering about is if I control the to and from
>> > address
>> > and header information for the mail, as I do above, is it possible to
>> > inject something else into the email to hijack the mail server?
>>
>> > Thanks,
>>
>> > Bill
>
> On Oct 27, 7:52 pm, "Bill H" <some...@somedomain.com> wrote:
>> I've changed our web site to use a simple PHP script to send a demo
>> request
>> to our sales office. We use Postfix and everything is set up properly
>> and
>> works fine. I've been informed there are some security issues to review.
>>
>> The script looks like:
>>
>> <html>
>> <head><title>PHP Mail Sender</title></head>
>> <body>
>> <?php
>>
>> /* Pre-defined script variables. */
>> /* $eol = "\r\n"; */
>> $eol = "\n";
>> $mailto = 'sa...@mydomain.com';
>> $mailfrom = 'webser...@mydomain.com';
>> $subject = 'Company Demo Request';
>>
>> /* Initialize a clean array to replace $_POST with clean data */
>> $name = $_POST['name'];
>> $title = $_POST['name'];
>> $company = $_POST['name'];
>> $email = $_POST['name'];
>> $phone = $_POST['name'];
>> $message = $_POST['name'];
>>
>> /* Build HTML $salesmessage variable to pass to mail script */
>> $salesmessage = "<HTML><HEAD></HEAD><BODY>" . $eol;
>> $salesmessage .= "The following information comes from the company web
>> site<BR>".$eol;
>> $salesmessage .= "demonstration link.<BR><BR>".$eol;
>> $salesmessage .= "<TABLE cols='2'>".$eol;
>> $salesmessage .= "<TR><TD style='color:blue'>Company Name:
>> </TD><TD>".
>> $company ."</TD></TR>".$eol;
>> $salesmessage .= "<TR><TD style='color:blue'>Contact Name:
>> </TD><TD>".
>> $name ."</TD></TR>".$eol;
>> $salesmessage .= "<TR><TD style='color:blue'>Contact Title:
>> </TD><TD>".
>> $title ."</TD></TR>".$eol;
>> $salesmessage .= "<TR><TD style='color:blue'>Contact Email:
>> </TD><TD>".
>> $email ."</TD></TR>".$eol;
>> $salesmessage .= "<TR><TD style='color:blue'>Contact Phone:
>> </TD><TD>".
>> $phone ."</TD></TR>".$eol;
>> $salesmessage .= "</TABLE><BR>" . $eol;
>> $salesmessage .= $message . $eol;
>> $salesmessage .= "</BODY></HTML>" . $eol;
>>
>> /* To send HTML mail, the Content-type header must be set */
>> $headers = 'MIME-Version: 1.0' . $eol;
>> $headers .= 'Content-type: text/html; charset=iso-8859-1' . $eol;
>>
>> /* Additional header information */
>> $headers .= 'To: Sales <' . $mailto . '>' . $eol;
>> $headers .= 'From: ' . 'AsiWeb <' . $mailfrom . '>' . $eol . $eol;
>>
>> /* PHP form validation: the script checks that the Email field contains a
>> valid email address
>> and the Subject field isn't empty. preg_match performs a regular
>> expression match. It's a
>> very powerful PHP function to validate form fields and other strings -
>> see PHP manual for
>> details. */
>> if ($email == "") {
>> echo "<script>alert('Invalid or missing email address')</script>";
>> echo "<script>history.back(1)</script>";
>> } elseif ($name == "") {
>> echo "<script>alert('Invalid or missing name')</script>";
>> echo "<script>history.back(1)</script>";
>> } elseif ($company == "") {
>> echo "<script>alert('Invalid or missing company')</script>";
>> echo "<script>history.back(1)</script>";
>>
>> /* Sends the mail and outputs the "Thank you" string if the mail is
>> successfully sent, or the
>> error string otherwise. */
>> } elseif (mail($mailto, $subject, $salesmessage, $headers)) {
>> echo "<script>";
>> echo "self.location='../demo_response.html';";
>> echo "</script>";
>> } else {
>> echo "<script>alert('Cannot send email to $mailto')</script>";
>> echo "<script>history.back(1)</script>";
>> }
>> ?>
>> </body>
>> </html>
>>
>> The main issue I'm wondering about is if I control the to and from
>> address
>> and header information for the mail, as I do above, is it possible to
>> inject
>> something else into the email to hijack the mail server?
>>
>> Thanks,
>>
>> Bill
>
> even a 10second glance reveals a few issues
> cross site scripting.
> header injection may be possible
> use of \n\n rather than \r\n
>
> im not sure where your "powerful validate occurs" but its not in this
> script as you make no attempt to use regular expressions.

ROFLMAO !!!

so, 'powerful validation' is eq. to regex?!!!

you are, on all other counts, correct however. :^)

> Oh and in case youre wondering - why would I perform regular
> expression validation on a mailto address I control - this is a demo
> right, how will you ask the user to put in a valid email address, or
> any other data. You will of course have to use some kind of
> validation.
>
> My recommendation is to use a prewritten class to send emails - check
> out Zend, or some other framework for some (more) secure scripts,
> rolling your own should only be done when you think you can improve on
> the work of others with years of experience - often learned the hard
> way! The last thing you want is to have your email server blacklisted.

zend email classes are faaaar too bloated to send such simple emails. i've
got a script (posted last week) that i've been using for years. it's about
30-ish lines. does anything i want it to.

> if you use a secure class you script will look something like
>
> $email->setTo( $mailto );
> $email->setFrom( $mailto );
> $email->setMsg( $mailto );
> if( !$email->send() )
> {
> echo 'it wasnt sent';
> }
> else
> {
> echo 'it was';
> }

why would you need an instance of a email object? a static class with a send
method taking params would do nicely if you wanted to go that
route...otherwise, a stand-alone function works just great. thinking you
need classes when you don't is less than productive at times.

> the prevention of injection occurs elsewhere, but do not repeat your
> mistake of echoing back to the screen what the user has input unless
> you use htmlentities or some other filtering on the input.
>
> Or else a user can use this to take control of your webpages, this is
> the XSS I was talking about. This is pretty much rule number 1 of
> server side coding with forms, since you go on to send emails, I think
> perhaps you should check out WASC webpages to see the complexity of
> decent secure dynamic pages before you get into hot water.

complexity is !== security. simplicity most assuredly *is*.

[Back to original message]