[nycphp-talk] Phundamentals Title Change: Email Header Injection
Hans Zaunere
lists at zaunere.com
Fri Sep 23 19:33:38 EDT 2005
inforequest wrote on Friday, September 23, 2005 5:44 PM:
> David Mintz dmintz-at-davidmintz.org |nyphp dev/internal group use|
> wrote:
>
> > On Fri, 23 Sep 2005, Hans Zaunere wrote:
> >
> >
> >
> > > However for this particular exploit, it's easy to prevent. It's
> > > simply not possible for this exploit to work without the
> > > Content-Type: string. Searched for, in a case-insensitive manner,
> > > across all submitted form fields, will detect and thrawt this
> > > exploit immediately.
> > >
> > >
> > >
> >
> > Yes, and I gratefully borrowed your snippet to tighten up a couple
> > of my own scripts. The only conceivable drawback is that if user
> > input is destined to become the message body -- a textarea for the
> > user
> > to type a message -- and for some reason the user legitimately
> > wants to say something like "Have you guys heard about the
> > Content-type: attack?" Granted, it's unusual, but still... Kind of
> > like the caveat against training Spamassassin with ham that
> > discusses spam.
The small snippet does check every submitted form field, so this could be an
issue, albeit in the years-of-web-development-never-seen-this-as-a-problem
department.
The other side of this, however, is the MailProtect.inc class I posted
earlier. It only check header fields, which is the area of concern. A
Content-Type: in the body isn't a problem in this case, so MailProtect.inc
(anyone played with it yet?) would be the better solution.
> You might consider an old SEO trick and just swap in an invalid version
> of thet string, that still makes sense to the reader. Perhaps relacing
>
> "Content-type:" with "Content-type (colon)" for example, leaves it in
> the text but not functional.
And that would solve it, assuming the first bit of code.
---
Hans Zaunere / President / New York PHP
www.nyphp.org / www.nyphp.com
More information about the talk
mailing list