[thelist] Email header injection
Kasimir K
evolt at kasimir-k.fi
Fri Nov 11 12:45:22 CST 2005
Noah St. Amand scribeva in 2005-11-11 17:40:
> 1. setting a hidden variable in the form
The problem with this one is, that for the bots the hidden fields are
not that hidden... Then again, as the bot is using the same value for
all input fields (including submit) it would be easy to check if this is
the case.
But no need for a hidden field, as submit's value can be also checked.
In the form:
<input type="submit" name="send" value="send">
In PHP
if ($_POST['send'] != 'send') { ...
The strange thing though is, that this is not working for me every
time... most of the time yes, but not always. And it sure beats me how
it possible that 'weeping9702 at kasimir-k.fi' == 'send'
Obviously something very stupid which I'll be ashamed of later :-)
> 2. setting a session cookie on the form page
Same problem as with Referer: legit users would be bit - some people
don't like cookies.
> Anyway, I'm just interested in what other people with the same problem
> think about these solutions.
I think the key is that these bots use a fake email address as input for
all fields except the one where they put the headers. If there are
fields that we definitely know should not contain anything like that
(submit, hidden fields, checkboxes, radios, ..) it is easy to check.
Once the bots learn to be so cleaver that they don't touch those fields,
one could use regular text input with value like: "check field, don't
touch", and maybe disable the field too, maybe put it outside the
viewport with css.
This is intriguing problem, as it shows us that even something so
ridiculously simple as a contact form must be made secure. So it's no
more just e-commerce and the likes that must be done properly - any
script we put up there for public access must be throughly solid.
.k
More information about the thelist
mailing list