security issue

last night I got 20 or so blank e-mails from my site and one that
bounced ?? Is this script secure or am I being abused by spammers?
If you permit the mail() function to be called with user input containing
carriage return or line feed characters in *ANY* argument besides
the message body, your script is not secure.

A common offender is letting the user specify his own From: address
in the headers. At least when you do this you check the value.

I am not sure without testing whether your regular expression
check will properly reject an email with newlines in it, such as:

"fr**@mydomain.com\nCc: a@aol.com, b@aol.com, c@aol.com, d@aol.com\n\n"

Rules for regular-expression matching with multiple lines involved get tricky.
Gordon L. Burditt
any ideas?

PHP SCRIPT
<?php
$Name = $HTTP_POST_VARS['Name'];
$email = $HTTP_POST_VARS['email'];
$subject = "Message From us";
$message = $HTTP_POST_VARS['comments'];
$message2="\n\n$Name just filled in the form.\n\nTheir suggestions
are:\n$message\n\n
Their e-mail address is: $email\n\nTheir Phone Number is $phone";
$to="me@yahoo.ca";

/* PHP form validation: the script checks that the Email field contains
a valid email address and the Subject field isn't empty. preg_match
performs a regular expression match. It's a very powerful PHP function
to validate form fields and other strings - see PHP manual for details.
*/
if (!preg_match("/\w+([-+.]\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*/",
$email)) {
echo "<h4>Invalid email address</h4>";
echo "<a href='javascript:history.back(1);'>Back</a>";
} elseif ($Name == "") {
echo "<h4>It seems you forgot: Name</h4>";
echo "<a href='javascript:history.back(1);'>Back</a>";
}

/* Sends the mail and outputs the "Thank you" string if the mail is
successfully sent, or the error string otherwise. */
elseif (mail($to,$subject,$message2,"From:$email")) {
echo "Thank you $Name! We will get back to you as soon as we can.";
} else {
echo "<h4>There seems to been an error. Please <a
href='mailto:info&#64us.com'>click here to e-mail us</a></h4>";
}
?>
HERE IS THE E-MAIL

Hi. This is the qmail-send program at mail.support1.net_bouncehost.
I'm afraid I wasn't able to deliver your message to the following
addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<cl******@fresnomail.com>:
207.183.238.67 does not like recipient.
Remote host said: 550 5.1.2 <cl******@fresnomail.com>... Invalid
Recipient
Giving up on 207.183.238.67.

--- Enclosed are the original headers of the message.

Forwarded Message [ Download File | Save to Yahoo! Canada Briefcase ]
To: cl******@fresnomail.com
Date: 1 Mar 2006 23:22:54 -0000
From: in**@us.com
Subject: our company

sure looks like I tried to e-mail this guy?

I have an online form - script below. I thought it was secure, but
last night I got 20 or so blank e-mails from my site and one that
bounced ?? Is this script secure or am I being abused by spammers?

bokke wrote:

I have an online form - script below. I thought it was secure, but
last night I got 20 or so blank e-mails from my site and one that
bounced ?? Is this script secure or am I being abused by spammers?

There's a flaw in your regular expression. Right now it only looks for
the existence of a valid e-mail address within $email. Thus if $email
contains the following:

se****@anonymous.www
Cc:re*******@someothersite.xxx
Bcc:so*******@grrrr.xxx,so************@oooops.xxx

preg_match() will return true since there certainly is a correctly
formatted e-mail address in there.

Putting ^ at the beginning and $ at the end of the expression should
yield something more like what you had intended.

Why not just fix the regular expression?

Chung Leong wrote:

Why not just fix the regular expression?

Sorry Chung - What would I change it to? I'm new at this security
stuff.

michael

$email = preg_replace( '/[\r\n]/', '', $email );

$email = $HTTP_POST_VARS['email'];
Anything the preg_replace call did, the above line undoes.
$subject = "Message From us";
$message = $HTTP_POST_VARS['comments'];

if I added the second line - the form still works but that doesn't seem
to fix the problem you mention above? or does it?