470,855 Members | 1,155 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 470,855 developers. It's quick & easy.

security issue

I have an online form - script below. I thought it was secure, but
last night I got 20 or so blank e-mails from my site and one that
bounced ?? Is this script secure or am I being abused by spammers?

any ideas?

PHP SCRIPT
<?php
$Name = $HTTP_POST_VARS['Name'];
$email = $HTTP_POST_VARS['email'];
$subject = "Message From us";
$message = $HTTP_POST_VARS['comments'];
$message2="\n\n$Name just filled in the form.\n\nTheir suggestions
are:\n$message\n\n
Their e-mail address is: $email\n\nTheir Phone Number is $phone";
$to="me@yahoo.ca";

/* PHP form validation: the script checks that the Email field contains
a valid email address and the Subject field isn't empty. preg_match
performs a regular expression match. It's a very powerful PHP function
to validate form fields and other strings - see PHP manual for details.
*/
if (!preg_match("/\w+([-+.]\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*/",
$email)) {
echo "<h4>Invalid email address</h4>";
echo "<a href='javascript:history.back(1);'>Back</a>";
} elseif ($Name == "") {
echo "<h4>It seems you forgot: Name</h4>";
echo "<a href='javascript:history.back(1);'>Back</a>";
}

/* Sends the mail and outputs the "Thank you" string if the mail is
successfully sent, or the error string otherwise. */
elseif (mail($to,$subject,$message2,"From:$email")) {
echo "Thank you $Name! We will get back to you as soon as we can.";
} else {
echo "<h4>There seems to been an error. Please <a
href='mailto:info&#64us.com'>click here to e-mail us</a></h4>";
}
?>
HERE IS THE E-MAIL

Hi. This is the qmail-send program at mail.support1.net_bouncehost.
I'm afraid I wasn't able to deliver your message to the following
addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<cl******@fresnomail.com>:
207.183.238.67 does not like recipient.
Remote host said: 550 5.1.2 <cl******@fresnomail.com>... Invalid
Recipient
Giving up on 207.183.238.67.

--- Enclosed are the original headers of the message.

Forwarded Message [ Download File | Save to Yahoo! Canada Briefcase ]
To: cl******@fresnomail.com
Date: 1 Mar 2006 23:22:54 -0000
From: in**@us.com
Subject: our company

sure looks like I tried to e-mail this guy?

please help!

Mar 2 '06 #1
9 1177
>I have an online form - script below. I thought it was secure, but
last night I got 20 or so blank e-mails from my site and one that
bounced ?? Is this script secure or am I being abused by spammers?
If you permit the mail() function to be called with user input containing
carriage return or line feed characters in *ANY* argument besides
the message body, your script is not secure.

A common offender is letting the user specify his own From: address
in the headers. At least when you do this you check the value.

I am not sure without testing whether your regular expression
check will properly reject an email with newlines in it, such as:

"fr**@mydomain.com\nCc: a@aol.com, b@aol.com, c@aol.com, d@aol.com\n\n"

Rules for regular-expression matching with multiple lines involved get tricky.
Gordon L. Burditt
any ideas?

PHP SCRIPT
<?php
$Name = $HTTP_POST_VARS['Name'];
$email = $HTTP_POST_VARS['email'];
$subject = "Message From us";
$message = $HTTP_POST_VARS['comments'];
$message2="\n\n$Name just filled in the form.\n\nTheir suggestions
are:\n$message\n\n
Their e-mail address is: $email\n\nTheir Phone Number is $phone";
$to="me@yahoo.ca";

/* PHP form validation: the script checks that the Email field contains
a valid email address and the Subject field isn't empty. preg_match
performs a regular expression match. It's a very powerful PHP function
to validate form fields and other strings - see PHP manual for details.
*/
if (!preg_match("/\w+([-+.]\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*/",
$email)) {
echo "<h4>Invalid email address</h4>";
echo "<a href='javascript:history.back(1);'>Back</a>";
} elseif ($Name == "") {
echo "<h4>It seems you forgot: Name</h4>";
echo "<a href='javascript:history.back(1);'>Back</a>";
}

/* Sends the mail and outputs the "Thank you" string if the mail is
successfully sent, or the error string otherwise. */
elseif (mail($to,$subject,$message2,"From:$email")) {
echo "Thank you $Name! We will get back to you as soon as we can.";
} else {
echo "<h4>There seems to been an error. Please <a
href='mailto:info&#64us.com'>click here to e-mail us</a></h4>";
}
?>
HERE IS THE E-MAIL

Hi. This is the qmail-send program at mail.support1.net_bouncehost.
I'm afraid I wasn't able to deliver your message to the following
addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<cl******@fresnomail.com>:
207.183.238.67 does not like recipient.
Remote host said: 550 5.1.2 <cl******@fresnomail.com>... Invalid
Recipient
Giving up on 207.183.238.67.

--- Enclosed are the original headers of the message.

Forwarded Message [ Download File | Save to Yahoo! Canada Briefcase ]
To: cl******@fresnomail.com
Date: 1 Mar 2006 23:22:54 -0000
From: in**@us.com
Subject: our company

sure looks like I tried to e-mail this guy?


This message has NONE of the headers (like "Subject: message from us")
that your script puts in the message. It could be that a spammer
negated your headers by injecting two consecutive newlines in the
headers before yours. Or it could be that they just faked your
return address and it has nothing to do with your site until you
get the bounce.

Gordon L. Burditt
Mar 2 '06 #2
bokke wrote:
I have an online form - script below. I thought it was secure, but
last night I got 20 or so blank e-mails from my site and one that
bounced ?? Is this script secure or am I being abused by spammers?


There's a flaw in your regular expression. Right now it only looks for
the existence of a valid e-mail address within $email. Thus if $email
contains the following:

se****@anonymous.www
Cc:re*******@someothersite.xxx
Bcc:so*******@grrrr.xxx,so************@oooops.xxx

preg_match() will return true since there certainly is a correctly
formatted e-mail address in there.

Putting ^ at the beginning and $ at the end of the expression should
yield something more like what you had intended.

Mar 3 '06 #3

Chung Leong wrote:
bokke wrote:
I have an online form - script below. I thought it was secure, but
last night I got 20 or so blank e-mails from my site and one that
bounced ?? Is this script secure or am I being abused by spammers?


There's a flaw in your regular expression. Right now it only looks for
the existence of a valid e-mail address within $email. Thus if $email
contains the following:

se****@anonymous.www
Cc:re*******@someothersite.xxx
Bcc:so*******@grrrr.xxx,so************@oooops.xxx

preg_match() will return true since there certainly is a correctly
formatted e-mail address in there.

Putting ^ at the beginning and $ at the end of the expression should
yield something more like what you had intended.


How about using this
$Name = $HTTP_POST_VARS['Name'];
$email = preg_replace( '/[\r\n]/', '', $email );
$email = $HTTP_POST_VARS['email'];
$subject = "Message From us";

would this stop the abuse because it seems they are not using a
'return'?

michael

Mar 3 '06 #4
Why not just fix the regular expression?

Mar 3 '06 #5
$Name = $HTTP_POST_VARS['Name'];

$email = preg_replace( '/[\r\n]/', '', $email );

$email = $HTTP_POST_VARS['email'];
$subject = "Message From us";
$message = $HTTP_POST_VARS['comments'];

if I added the second line - the form still works but that doesn't seem
to fix the problem you mention above? or does it?

micahel

Mar 3 '06 #6

Chung Leong wrote:
Why not just fix the regular expression?


Sorry Chung - What would I change it to? I'm new at this security
stuff.

michael

Mar 3 '06 #7

bokke wrote:
Chung Leong wrote:
Why not just fix the regular expression?


Sorry Chung - What would I change it to? I'm new at this security
stuff.

michael


Also I will have to kill the BCC because I'm now getting these...
"and
Content-Type: multipart/alternative;
boundary=dfd3b8fc428ebc09193a1de81d51a1ad
MIME-Version: 1.0
Subject: really a good
bcc: ba****@aol.com

This is a multi-part message in MIME format.

--dfd3b8fc428ebc09193a1de81d51a1ad
Content-Type: text/plain; charset=\"us-ascii\"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

ilhelm you should first see his es, you must
--dfd3b8fc428ebc09193a1de81d51a1ad--

..
es****@us.com just filled in the form.

Their suggestions are:
es****@us.com
Their e-mail address is: es****@us.com

Their Phone Number is es****@us.com
aaaaaagggghh please make the bleeding stop! help

Mar 3 '06 #8
Change the regular expression to

/^\w+([-+.]\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*$/

Mar 3 '06 #9
>$Name = $HTTP_POST_VARS['Name'];

$email = preg_replace( '/[\r\n]/', '', $email );

$email = $HTTP_POST_VARS['email'];
Anything the preg_replace call did, the above line undoes.
$subject = "Message From us";
$message = $HTTP_POST_VARS['comments'];

if I added the second line - the form still works but that doesn't seem
to fix the problem you mention above? or does it?


If someone is trying to abuse your web page, DO NOT SEND MAIL AT ALL.
And preferably the output result page should consist only of cusswords.
Or at least do not use any part of a tricked-up $email in the
headers. And preferably block any more accesses from that IP
address.

Gordon L. Burditt
Mar 3 '06 #10

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

28 posts views Thread by grahamd | last post: by
reply views Thread by Charles Leonard | last post: by
10 posts views Thread by Richard MSL | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.