Posted by Philip Ronan on 09/07/05 21:23

"dmcconkey@yahoo.com" wrote:

> Some jerk wrote a robot to attack one of my contact forms. Once a day,
> it hits my form about 10 times in a couple of seconds. It adds email
> header info into a textarea box as printed below:
>
> Content-Type: multipart/mixed; boundary="===============0845246937=="
> MIME-Version: 1.0
> ... etc ...

The world is full of jerks. What's happening here is that someone is trying
to insert additional headers (Subject, To, From, etc.) into the email
generated by your form. The multipart/mixed business is there to split the
email up so that whatever you *think* you're putting in the email is never
actually seen. Instead the spammer has complete control over the content of
the email.

Fortunately PHP seems to have detected this and is refusing to send the
email. But really you should never *ever* take user-generated data straight
from a POST or GET request and put it into an email (or a database, or
anything else for that matter).

For example, the following script is unsafe because the "from" field can be
used to insert other headers (like "Cc", for example) to send email
anonymously to other recipients.

<?php
$to = 'me@example.com';
$from = $_POST['from'];
$subj = $_POST['subject'];
$msg = $_POST['msg'];
mail($to, $subj, $msg, 'From: ' . $from);
?>

So basically you need to make damn sure your email script doesn't send
anything unless you're COMPLETELY satisfied that the data provided by the
user is genuine and safe to use. Treat *everything* with suspicion.

> Also, if I just do a str_replace() to change any occurance of "MIME"
> into something innocuous, will that fortify my defenses?

No.

--
phil [dot] ronan @ virgin [dot] net
http://vzone.virgin.net/phil.ronan/

[Back to original message]