[thelist] Email header injection
Kasimir K
evolt at kasimir-k.fi
Sat Nov 12 05:09:01 CST 2005
Phil Turmel scribeva in 2005-11-12 00:57:
> You have to realize there are two separate objectives here, one more
> important than the other:
>
> 1) Prevent bots from filling in contact forms, so they don't bother the
> webmaster, and
>
> 2) Prevent bots from injecting headers, so they don't use your server to
> bother the rest of the web.
Yes, important point, well put, and I fully agree.
To be really safe, simply don't put any user input in the mail header.
For all my client work I do contact forms this way - as I might not be
monitoring them constantly, I want to be really sure that they are safe
now and tomorrow.
On my personal site I (for now) put stuff (carefully sanitized) in the
header. There's the little convenience of being able to just hit reply -
but more importantly, I'm reluctant to change functionality of my site
because of some damn script kiddie... I rather spend an hour or two
securing it.
All the tricks of using hidden fields etc. naturally don't provide any
real protection - only convenience. Any real protection indeed comes
only from accepting user input of expected type, and carefully
sanitizing that (and not using it in mail headers).
Kasimir K scribeva in 2005-11-11 18:45:
> The strange thing though is, that this is not working for me every
> time...
> Obviously something very stupid which I'll be ashamed of later :-)
I had a forgotten script on my site... I am very, very ashamed :-)
<tip>
To be sure that your PHP site hasn't any forgotten mailing scripts, do a
site wide search for "mail(", and make sure it only appears where it should.
</tip>
.k
More information about the thelist
mailing list