Hi,
I was looking at mail injection, http://securephp.damonkohler.com/ind...mail_Injection
And I was wondering if my mail(...) was safe.
I ask in a form for
1 Name
2 Email address
3 Subject
4 Comment/Message
I then build one message by putting all of the above together.
So even if there was injection, it is all in the body of my message, right?
I then use mail(...) as per normal with my hard coded "To:" and "Subject:"
Is that a fairly safe way?
How should I parse my form to prevent malicious code, (Script? eval?)
Many thanks for your input.
Simon 22 2684
They can also inject stuff in the "Subject" line..
You should run your name, e-mail and subject lines through a test function
like mine:
function isUnsafe($str)
{
if (eregi('Content-Type', $str))
return true;
if (eregi('multipart/mixed', $str))
return true;
if (eregi('bcc:', $str))
return true;
return false;
}
Probably isn't sufficient, but the "Content-Type" and "multipart" stuff is
dangerous.
You should also hardcode the headers yourself with "Content-Type:
text/html".
HTH
Lisa
"Simon" <sp********@example.com> wrote in message
news:3t************@individual.net... Hi,
I was looking at mail injection, http://securephp.damonkohler.com/ind...mail_Injection
And I was wondering if my mail(...) was safe.
I ask in a form for 1 Name 2 Email address 3 Subject 4 Comment/Message
I then build one message by putting all of the above together. So even if there was injection, it is all in the body of my message, right?
I then use mail(...) as per normal with my hard coded "To:" and "Subject:"
Is that a fairly safe way?
How should I parse my form to prevent malicious code, (Script? eval?)
Many thanks for your input.
Simon
"Lisa Pearlson" <no@spam.plz> wrote in message
news:43**********************@dreader16.news.xs4al l.nl... They can also inject stuff in the "Subject" line..
You should run your name, e-mail and subject lines through a test function like mine:
function isUnsafe($str) { if (eregi('Content-Type', $str)) return true;
if (eregi('multipart/mixed', $str)) return true;
if (eregi('bcc:', $str)) return true;
return false; }
Probably isn't sufficient, but the "Content-Type" and "multipart" stuff is dangerous.
You should also hardcode the headers yourself with "Content-Type: text/html".
HTH Lisa
Thanks, but my subject is also hard coded, in fact, everything is hard
coded.
I place everything together into the body of the message itself.
My question would be more, what can they inject in the actual body of the
email?
Simon
"Lisa Pearlson" wrote: They can also inject stuff in the "Subject" line..
You should run your name, e-mail and subject lines through a test function like mine:
function isUnsafe($str) { if (eregi('Content-Type', $str)) return true;
if (eregi('multipart/mixed', $str)) return true;
if (eregi('bcc:', $str)) return true;
return false; }
Probably isn't sufficient, but the "Content-Type" and "multipart" stuff is dangerous.
This was discussed here just a few days ago: http://groups.google.co.uk/group/com...hread/689f9ef1
5372dfc1/7da226ecec244dea
Generally it's better to check that the submitted data conforms to a *valid*
pattern than to check it against specific *invalid* patterns. Among other
things, your routine won't detect any linefeeds, which provide a simple
means of inserting additional headers (and even body content) into an email.
So for example, if you think a valid "Subject" should consist of between 1
and 200 characters with ASCII codes of 32 or more (i.e. no control
characters), then *don't accept anything else*.
You should also make sure your script cannot be affected by user input that
contains, for example, quotation marks or HTML tags. For example, suppose
your error routine consists of something like this:
<?
:
:
$subject = $_GET["subject"];
if (!isValid($subject))
die("<P>Sorry, but \"$subject\" is not a valid subject string.</P>");
:
:
?>
If you haven't checked that $subject contains no HTML tags, then the hacker
can insert whatever he likes into your HTML, such as a link to some other
website, or piece of Javascript that redirects the page automatically. That
would be a serious problem if the page was part of an online banking site
(Google for "phishing" if you can't figure out why).
--
phil [dot] ronan @ virgin [dot] net http://vzone.virgin.net/phil.ronan/
Just make sure that you're stripping linefeeds/carriage-returns from
all the fields.
I agree, but some characters are valid in names in some countries, like
"Gert-Jan v/d Boer". So sometimes it can actually be harder to know what to
expect, than it it to know what is definitely wrong (like specific key words
or SQL statements).
"Philip Ronan" <in*****@invalid.invalid> wrote in message
news:BF9A6AFB.3AB44%in*****@invalid.invalid... "Lisa Pearlson" wrote:
They can also inject stuff in the "Subject" line..
You should run your name, e-mail and subject lines through a test function like mine:
function isUnsafe($str) { if (eregi('Content-Type', $str)) return true;
if (eregi('multipart/mixed', $str)) return true;
if (eregi('bcc:', $str)) return true;
return false; }
Probably isn't sufficient, but the "Content-Type" and "multipart" stuff is dangerous.
This was discussed here just a few days ago: http://groups.google.co.uk/group/com...hread/689f9ef1 5372dfc1/7da226ecec244dea
Generally it's better to check that the submitted data conforms to a *valid* pattern than to check it against specific *invalid* patterns. Among other things, your routine won't detect any linefeeds, which provide a simple means of inserting additional headers (and even body content) into an email.
So for example, if you think a valid "Subject" should consist of between 1 and 200 characters with ASCII codes of 32 or more (i.e. no control characters), then *don't accept anything else*.
You should also make sure your script cannot be affected by user input that contains, for example, quotation marks or HTML tags. For example, suppose your error routine consists of something like this:
<? : : $subject = $_GET["subject"]; if (!isValid($subject)) die("<P>Sorry, but \"$subject\" is not a valid subject string.</P>"); : : ?>
If you haven't checked that $subject contains no HTML tags, then the hacker can insert whatever he likes into your HTML, such as a link to some other website, or piece of Javascript that redirects the page automatically. That would be a serious problem if the page was part of an online banking site (Google for "phishing" if you can't figure out why).
-- phil [dot] ronan @ virgin [dot] net http://vzone.virgin.net/phil.ronan/ If you haven't checked that $subject contains no HTML tags, then the hacker can insert whatever he likes into your HTML, such as a link to some other website, or piece of Javascript that redirects the page automatically. That would be a serious problem if the page was part of an online banking site (Google for "phishing" if you can't figure out why).
Yes, so after "isUnsafe" I actually call htmlspecialchars()
"Lisa Pearlson" wrote: I agree, but some characters are valid in names in some countries, like "Gert-Jan v/d Boer". So sometimes it can actually be harder to know what to expect, than it it to know what is definitely wrong (like specific key words or SQL statements).
That's very true. I didn't say this was *easy* did I?
--
phil [dot] ronan @ virgin [dot] net http://vzone.virgin.net/phil.ronan/
Simon wrote: My question would be more, what can they inject in the actual body of the email?
Make sure the "additional headers" parameter ends with "\r\n\r\n" and you
ought to be fine.
--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact
"Toby Inkster" <us**********@tobyinkster.co.uk> wrote in message
news:40************@ophelia.g5n.co.uk... Simon wrote:
My question would be more, what can they inject in the actual body of the email?
Make sure the "additional headers" parameter ends with "\r\n\r\n" and you ought to be fine.
Sorry, I am still not sure I follow,
Almost everything is hard coded, (the 'to' and the 'subject').
and the header is
"Reply-To: we*******@example.com."\n" .
"From: we*******@example.com."\n" .
"Return-Path: we*******@example.com."\n" .
"MIME-Version: 1.0\n".
"Content-type: text/plain; charset=iso-8859-1\n".
"Content-transfer-encoding: 8bit\n".
"Date: " . date('r', time()) . "\n".
"X-Priority: 3\n".
"X-MSMail-Priority: Normal\n".
"X-Mailer: PHP/" . phpversion();
So are you saying I should add "\r\n\r\n" as well?
the message is created using the info given by the user. _but I don't check
that data_.
What could they inject into the message that would cause mail(...) to be
unsafe?
Thanks
Simon
Simon wrote: "Toby Inkster" <us**********@tobyinkster.co.uk> wrote in message news:40************@ophelia.g5n.co.uk... Simon wrote:
My question would be more, what can they inject in the actual body of the email? Make sure the "additional headers" parameter ends with "\r\n\r\n" and you ought to be fine.
Sorry, I am still not sure I follow, Almost everything is hard coded, (the 'to' and the 'subject').
and the header is
"Reply-To: we*******@example.com."\n" . "From: we*******@example.com."\n" . "Return-Path: we*******@example.com."\n" . "MIME-Version: 1.0\n". "Content-type: text/plain; charset=iso-8859-1\n". "Content-transfer-encoding: 8bit\n". "Date: " . date('r', time()) . "\n". "X-Priority: 3\n". "X-MSMail-Priority: Normal\n". "X-Mailer: PHP/" . phpversion();
next comes the $message. if the message was
\n bcc: un******@recipient.com, un******@adslfkj.com, \n
lemme tell ya bout these blue pills...
(or something like that)
You can see where that aint gonna be too cool.
So are you saying I should add "\r\n\r\n" as well?
that's supposed to make the mailing program quit with the headers and
send the rest as the message.
"juglesh" wrote: Simon wrote: Almost everything is hard coded, (the 'to' and the 'subject').
and the header is
"Reply-To: we*******@example.com."\n" . "From: we*******@example.com."\n" . "Return-Path: we*******@example.com."\n" . "MIME-Version: 1.0\n". "Content-type: text/plain; charset=iso-8859-1\n". "Content-transfer-encoding: 8bit\n". "Date: " . date('r', time()) . "\n". "X-Priority: 3\n". "X-MSMail-Priority: Normal\n". "X-Mailer: PHP/" . phpversion();
next comes the $message. if the message was \n bcc: un******@recipient.com, un******@adslfkj.com, \n lemme tell ya bout these blue pills...
The php mail() function doesn't work like that. Additional headers are
passed as a separate parameter to the mail() function. There is no need to
add extra linebreaks at the beginning of the body text; PHP will do this
anyway.
If the headers have all been hard-coded like in Simon's example, then the
script is safe. There is no way the POST data can be rigged to insert
additional headers into the email.
--
phil [dot] ronan @ virgin [dot] net http://vzone.virgin.net/phil.ronan/
Simon wrote: the message is created using the info given by the user. _but I don't check that data_. What could they inject into the message that would cause mail(...) to be unsafe?
$_POST['message'] = "BCC: me@example.com\r\n\r\nlalala";
--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact
"Toby Inkster" wrote: Simon wrote:
the message is created using the info given by the user. _but I don't check that data_. What could they inject into the message that would cause mail(...) to be unsafe? $_POST['message'] = "BCC: me@example.com\r\n\r\nlalala";
Totally ineffective.
The $message parameter is not added to the headers. All you would manage to
do is create an email containing the following body:
BCC: me@example.com
lalala
Try reading up on the subject:
<http://uk2.php.net/manual/en/function.mail.php>
<http://www.ietf.org/rfc/rfc0822.txt>
--
phil [dot] ronan @ virgin [dot] net http://vzone.virgin.net/phil.ronan/
Philip Ronan wrote: The $message parameter is not added to the headers.
So naïve! They're all concatenated and passed to the sendmail binary.
--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact
"Toby Inkster" wrote: Philip Ronan wrote:
The $message parameter is not added to the headers.
So naïve! They're all concatenated and passed to the sendmail binary.
You really don't have a clue what you're talking about.
--
phil [dot] ronan @ virgin [dot] net http://vzone.virgin.net/phil.ronan/
Toby Inkster wrote: Philip Ronan wrote:
The $message parameter is not added to the headers.
So naïve! They're all concatenated and passed to the sendmail binary.
-- Toby A Inkster BSc (Hons) ARCS Contact Me ~ http://tobyinkster.co.uk/contact
The message is always preceded by a newline, which delimits it from the
headers.
Philip Ronan wrote: "Toby Inkster" wrote:
Philip Ronan wrote:
The $message parameter is not added to the headers.
So naïve! They're all concatenated and passed to the sendmail binary.
You really don't have a clue what you're talking about.
fine, lets try it: (on a misspelled domain on a server I'm about to
ditch) http://palmerbodine.com/spamme.php
I cant seem to get it to spam from the message field. I'll leave it up
for a day or so.
--
j
Hello,
on 11/11/2005 09:03 AM Simon said the following: I was looking at mail injection, http://securephp.damonkohler.com/ind...mail_Injection
And I was wondering if my mail(...) was safe.
I ask in a form for 1 Name 2 Email address 3 Subject 4 Comment/Message
I then build one message by putting all of the above together. So even if there was injection, it is all in the body of my message, right?
I then use mail(...) as per normal with my hard coded "To:" and "Subject:"
Is that a fairly safe way?
How should I parse my form to prevent malicious code, (Script? eval?)
Message headers should be encoded with q-encoding (a variant of
quoted-printable encoding for headers). If you do not know how to encode
the messages properly, you may want to try this MIME message class that
can do it for you safely: http://www.phpclasses.org/mimemessage
--
Regards,
Manuel Lemos
Metastorage - Data object relational mapping layer generator http://www.metastorage.net/
PHP Classes - Free ready to use OOP components written in PHP http://www.phpclasses.org/
Manuel Lemos wrote: Hello,
on 11/11/2005 09:03 AM Simon said the following: I was looking at mail injection, http://securephp.damonkohler.com/ind...mail_Injection
And I was wondering if my mail(...) was safe.
I ask in a form for 1 Name 2 Email address 3 Subject 4 Comment/Message
I then build one message by putting all of the above together. So even if there was injection, it is all in the body of my message, right?
I then use mail(...) as per normal with my hard coded "To:" and "Subject:"
Is that a fairly safe way?
How should I parse my form to prevent malicious code, (Script? eval?)
Message headers should be encoded with q-encoding (a variant of quoted-printable encoding for headers). If you do not know how to encode the messages properly, you may want to try this MIME message class that can do it for you safely:
http://www.phpclasses.org/mimemessage
I asked you about mail injection visavis mimemessage class before, but
got an answer that I did not understand 8)
do you need to filter user supplied data prior to sending it thru
mimemessage?
--
juglesh
Hello,
on 11/17/2005 11:55 PM juglesh said the following: How should I parse my form to prevent malicious code, (Script? eval?) Message headers should be encoded with q-encoding (a variant of quoted-printable encoding for headers). If you do not know how to encode the messages properly, you may want to try this MIME message class that can do it for you safely:
http://www.phpclasses.org/mimemessage
I asked you about mail injection visavis mimemessage class before, but got an answer that I did not understand 8)
do you need to filter user supplied data prior to sending it thru mimemessage?
No, after you pass the data to the class for headers or body parts, it
is encoded properly so certain characters are escaped to remove their
special meaning that could be exploited.
Only some functions that take e-mail address do not do anything with
those address. So, you should validate those addresses with a regular
expression or something more complete like this other class: http://www.phpclasses.org/emailvalidation
--
Regards,
Manuel Lemos
Metastorage - Data object relational mapping layer generator http://www.metastorage.net/
PHP Classes - Free ready to use OOP components written in PHP http://www.phpclasses.org/
Manuel Lemos wrote: Hello,
on 11/17/2005 11:55 PM juglesh said the following: How should I parse my form to prevent malicious code, (Script? eval?) Message headers should be encoded with q-encoding (a variant of quoted-printable encoding for headers). If you do not know how to encode the messages properly, you may want to try this MIME message class that can do it for you safely:
http://www.phpclasses.org/mimemessage
I asked you about mail injection visavis mimemessage class before, but got an answer that I did not understand 8)
do you need to filter user supplied data prior to sending it thru mimemessage?
No, after you pass the data to the class for headers or body parts, it is encoded properly so certain characters are escaped to remove their special meaning that could be exploited.
Only some functions that take e-mail address do not do anything with those address. So, you should validate those addresses with a regular expression or something more complete like this other class:
http://www.phpclasses.org/emailvalidation
k, thanx! This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: baustin75 |
last post by:
Posted: Mon Oct 03, 2005 1:41 pm Post subject: cannot mail() in ie
only when debugging in php designer 2005
--------------------------------------------------------------------------------
...
|
by: ss |
last post by:
hi,
can anybody gives me a sample code where the sql injection attack is
validated.
how can i do that in business logic layer and pass the error to the
presentation tier
I want the sample...
|
by: Tor Erik Soenvisen |
last post by:
Hi,
How safe is the following code against SQL injection:
# Get user privilege
digest = sha.new(pw).hexdigest()
# Protect against SQL injection by escaping quotes
uname = uname.replace("'",...
|
by: |
last post by:
There are assorted "SQL Injection vulnerability assessment tools" out there.
They scan your site and send your report. They also take your money.
We don't have the money so I was wondering if I...
|
by: Sudhakar |
last post by:
i have implemented a way to avoid sql injection from the php website
from this url
http://in.php.net/mysql_real_escape_string from the "Example #3 A
"Best Practice" query" section of this page
...
| |
by: Jeigh |
last post by:
Quite a while back now I had a file uploaded to my site overwriting the index, which boasted of this hackers amazing skills in defacing my site. Never did figure out how they did it, however I found...
|
by: Cirene |
last post by:
I am using formview controls to insert/update info into my tables.
I'm worried about SQL injection.
How do you recommend I overcome this issue?
In the past I've called a custom cleanup...
|
by: Voodoo Jai |
last post by:
I have a page the uses a form to pass a postcode to another page and I
want to test it against an SQL Injection. What would be a safe (i.e NO
DELETING of data ) statement to try and how would I...
|
by: Frinavale |
last post by:
SQL Injection Attack
A database is a collection of information organised in such a way that allows computer programs to access data (even large amounts) quickly and easily. Data within a database is...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
| |
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
| |
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated ...
| | |