NYCPHP Meetup

NYPHP.org

[nycphp-talk] Preventing spam with php mail function

inforequest 1j0lkq002 at sneakemail.com
Thu Feb 23 17:46:35 EST 2006 

Hans Zaunere lists-at-zaunere.com |nyphp dev/internal group use| wrote:

> If I understand correctly, we have a PHundamentals article available for
>
>this:
>
>http://www.nyphp.org/phundamentals/email_header_injection.php
>
>  
>

Hans beat me to it. IMHO that article is one of the best on the web for 
addressing multi-part MIME exploits using contact forms. It is an 
advanced topic, though, but as with every "exploit"  if the coder 
suffered through the advanced topics early,  the learning process would 
be much less painful.

Basically it shows how even if you build a "safer" contact form, it may 
be used to insert spam because Internet mail systems permit mail 
messages to be inserted into other mail messages. The bottom line is 
that you have to filter every field of the mail your form will create 
and send, even if you don't collect those fields on your form (default 
fields and the like). Most people are filtering every field their form 
collects (which is not enough... you have to filter/control the defaults 
as well). That article also highlights the need to filter out newlines 
that might indictate an inserted message-within-a-message. It's a good 
article.

Chris' reply is excellent for the way it suggests you review the bigger 
picture of your security (not just the technology of the contact form). 
I completely agree, and would like to add more. Consider these ideas as 
a start:

Can your form be used to spoof an email so that it appears to come from 
someone within your company even though it really originated on your 
website, created by an outsider?

Could I use your form to send an email to the person who handles 
user-submitted requests, perhaps looking like an email from your web 
hosting company directing an update of shell account username/passwords etc?

Can your "change my password" form be used to change another user's 
password withoit prior permission/approval?

Does your contact-us form CC others in your organization prior to any 
adminsitrative review? You don't want obscene or harassing statements 
circulated within the company, or you could open up the company to civil 
liabilities. Similarly, if your organization is regulated (HIPAA, 
banking and finance, securities, etc) un-reviewed user submissions 
should not be circulated (copied to multiple places onclient machines etc).

Hope this helps.

-=johnandrews
http://www.seo-fun.com

More information about the talk mailing list