|
Posted by Philip Ronan on 11/11/05 17:36
"Lisa Pearlson" wrote:
> They can also inject stuff in the "Subject" line..
>
> You should run your name, e-mail and subject lines through a test function
> like mine:
>
> function isUnsafe($str)
> {
> if (eregi('Content-Type', $str))
> return true;
>
> if (eregi('multipart/mixed', $str))
> return true;
>
> if (eregi('bcc:', $str))
> return true;
>
> return false;
> }
>
> Probably isn't sufficient, but the "Content-Type" and "multipart" stuff is
> dangerous.
This was discussed here just a few days ago:
http://groups.google.co.uk/group/comp.lang.php/browse_thread/thread/689f9ef1
5372dfc1/7da226ecec244dea
Generally it's better to check that the submitted data conforms to a *valid*
pattern than to check it against specific *invalid* patterns. Among other
things, your routine won't detect any linefeeds, which provide a simple
means of inserting additional headers (and even body content) into an email.
So for example, if you think a valid "Subject" should consist of between 1
and 200 characters with ASCII codes of 32 or more (i.e. no control
characters), then *don't accept anything else*.
You should also make sure your script cannot be affected by user input that
contains, for example, quotation marks or HTML tags. For example, suppose
your error routine consists of something like this:
<?
:
:
$subject = $_GET["subject"];
if (!isValid($subject))
die("<P>Sorry, but \"$subject\" is not a valid subject string.</P>");
:
:
?>
If you haven't checked that $subject contains no HTML tags, then the hacker
can insert whatever he likes into your HTML, such as a link to some other
website, or piece of Javascript that redirects the page automatically. That
would be a serious problem if the page was part of an online banking site
(Google for "phishing" if you can't figure out why).
--
phil [dot] ronan @ virgin [dot] net
http://vzone.virgin.net/phil.ronan/
[Back to original message]
|