|
|
Posted by Gordon Burditt on 03/02/06 20:50
>I have an online form - script below. I thought it was secure, but
>last night I got 20 or so blank e-mails from my site and one that
>bounced ?? Is this script secure or am I being abused by spammers?
If you permit the mail() function to be called with user input containing
carriage return or line feed characters in *ANY* argument besides
the message body, your script is not secure.
A common offender is letting the user specify his own From: address
in the headers. At least when you do this you check the value.
I am not sure without testing whether your regular expression
check will properly reject an email with newlines in it, such as:
"fred@mydomain.com\nCc: a@aol.com, b@aol.com, c@aol.com, d@aol.com\n\n"
Rules for regular-expression matching with multiple lines involved get tricky.
Gordon L. Burditt
>
>any ideas?
>
>PHP SCRIPT
><?php
>
>
>$Name = $HTTP_POST_VARS['Name'];
>$email = $HTTP_POST_VARS['email'];
>$subject = "Message From us";
>$message = $HTTP_POST_VARS['comments'];
>$message2="\n\n$Name just filled in the form.\n\nTheir suggestions
>are:\n$message\n\n
>Their e-mail address is: $email\n\nTheir Phone Number is $phone";
>$to="me@yahoo.ca";
>
>/* PHP form validation: the script checks that the Email field contains
>a valid email address and the Subject field isn't empty. preg_match
>performs a regular expression match. It's a very powerful PHP function
>to validate form fields and other strings - see PHP manual for details.
>*/
>if (!preg_match("/\w+([-+.]\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*/",
>$email)) {
> echo "<h4>Invalid email address</h4>";
> echo "<a href='javascript:history.back(1);'>Back</a>";
>} elseif ($Name == "") {
> echo "<h4>It seems you forgot: Name</h4>";
> echo "<a href='javascript:history.back(1);'>Back</a>";
>}
>
>/* Sends the mail and outputs the "Thank you" string if the mail is
>successfully sent, or the error string otherwise. */
>elseif (mail($to,$subject,$message2,"From:$email")) {
> echo "Thank you $Name! We will get back to you as soon as we can.";
>} else {
> echo "<h4>There seems to been an error. Please <a
>href='mailto:info@us.com'>click here to e-mail us</a></h4>";
>}
>?>
>
>
>HERE IS THE E-MAIL
>
>Hi. This is the qmail-send program at mail.support1.net_bouncehost.
>I'm afraid I wasn't able to deliver your message to the following
>addresses.
>This is a permanent error; I've given up. Sorry it didn't work out.
>
><clifford@fresnomail.com>:
>207.183.238.67 does not like recipient.
>Remote host said: 550 5.1.2 <clifford@fresnomail.com>... Invalid
>Recipient
>Giving up on 207.183.238.67.
>
>--- Enclosed are the original headers of the message.
>
>Forwarded Message [ Download File | Save to Yahoo! Canada Briefcase ]
>To: clifford@fresnomail.com
>Date: 1 Mar 2006 23:22:54 -0000
>From: info@us.com
>Subject: our company
>
>sure looks like I tried to e-mail this guy?
This message has NONE of the headers (like "Subject: message from us")
that your script puts in the message. It could be that a spammer
negated your headers by injecting two consecutive newlines in the
headers before yours. Or it could be that they just faked your
return address and it has nothing to do with your site until you
get the bounce.
Gordon L. Burditt
[Back to original message]
|