Posted by Shelly on 01/24/08 13:01

On Jan 24, 4:23 am, Rob <ratkin...@tbs-ltd.co.uk> wrote:
> On Jan 24, 5:33 am, Manuel Lemos <mle...@acm.org> wrote:
>
>
>
> > Hello,
>
> > on 01/24/2008 03:21 AM Shelly said the following:
>
> > > The calling code is (The constants are defined earlier. Also, $fld is
> > > an instance of a class that contains information about all of the
> > > fields on the form. The last three are not on the form and the
> > > security field was not part of $fld.)
> > > ====================
> > > $mail = new htmlMimeMail();
> > > $mail->setFrom(MAIL_FROM);
> > > $mail->setBcc(MAIL_CC);
> > > $mail->setSubject(MAIL_SUBJECT);
> > > $i = 0;
> > > $message = "";
>
> > > $html = '<body bgcolor="#CCFFCC">' .
> > > '<strong>From: </strong>' . MAIL_FROM . '<webmaster@' . MAIL_FROM .
> > > '.com><br>' .
> > > '<strong>Sent: </strong>' . MAIL_SENT . "<br>" .
> > > '<strong>To: </strong>' . MAIL_TO . "<br>" .
> > > '<strong>Subject: </strong>' . MAIL_SUBJECT . "<br>" .
> > > '<table border="1" align="center"><caption align="top"><b>' .
> > > MAIL_SUBJECT . '</b></caption><br>';
>
> > > for ($i=0; $i<$fld->size; $i++) {
> > > $message .= $fld->fldDisplay[$i] . ": " . $fld->fldVal[$fld-
> > >> fldName[$i]] . "\r\n";
> > > $html .= '<tr><th>' . $fld->fldDisplay[$i] . '</th><td>' .
> > > $fld->fldVal[$fld->fldName[$i]] . '</td></tr>';
> > > }
>
> > > $html .= '<tr><th>Security Code Generated</th><td>' .
> > > $_POST['securityHidden'] . '</td></tr>';
> > > $html .= '<tr><th>Security Code Entered</th><td>' .
> > > $_POST['securityCode'] . '</td></tr>';
> > > $html .= '<tr><th>User IP Address</th><td>' . getenv("REMOTE_ADDR") .
> > > '</td></tr>';
> > > $html .= '</table></body>';
>
> > I don't know if that is enough to explain it, but you are not encoding
> > the values that you insert in the HTML message.
>
> > If any values start with < the mail program will process as a tag and
> > may not render anything. So the actual code may be there but is not
> > being displayed because it is taken as a tag.
>
> > Even parts of your static HTML will be omitted like this:
>
> > '<webmaster@' . MAIL_FROM .'.com><br>'
>
> > All you need to do is to use HtmlSpecialChars() to properly encode your
> > values in HTML.
>
> > --
>
> > Regards,
> > Manuel Lemos
>
> > PHP professionals looking for PHP jobshttp://www.phpclasses.org/professionals/
>
> > PHP Classes - Free ready to use OOP components written in PHPhttp://www.phpclasses.org/-Hide quoted text -
>
> > - Show quoted text -
>
> Shelly, I haven't read this (long) thread in detail, but I think you
> have a problem I've seen before.
>
> Basically, what stops a spammer looking at the HTML on your page, then
> posting content back to the form processor contained in the 'ACTION'?
>
> By doing this, they bypass your page security, and can pass any
> information they want to.
>
> You can correct this by generating a known field on the form, lets say
> the date and time, or a unique ID, then checking this as the form
> results come back.
>
> There is NO SUBSTITUTE for checking the integrity of the data returned
> from a form, even if you have client side checking in place.
>
> I may be barking up the wrong tree here, but it certainly sounds like
> your problem.
>
> Rob.

Wow! I just learned something very important. Thanks. I looked at
the html generated (view source) and there it is. The hidden field,
its name, and its value are all to see. That means that they can
generate a form and put in even a null field in that area and my check
would fail because it matches. So, where do I hide the value to be
checked? Do I create a session variable and put its value there and
then check the returned value against that? (That seems to be
equivalent to the dste and time).

Shelly

[Back to original message]