[thelist] injection attacks on php contact form

Kasimir K evolt at kasimir-k.fi
Thu Dec 1 04:47:08 CST 2005

Garth Hagerman scribeva in 2005-12-01 00:50:
> It seems much more likely that a legitimate message would have a colon 
> than "Content-Type:" or "MIME-Version:" The only time I could see those 
> as legitimate is in a technical context like this where those are 
> legitimate terms for discussion. My clients are realtors, performing 
> arts companies, and small businesses; it'd be a stretch to imagine 
> those terms used in a legitimate inquiry.

I might have been a bit unclear with this one. The idea was *not* to 
check *all* input fields for a colon - only those which will end up in 
the header. Basically you don't have to filter the message body at all.

As a side note, "a stretch to imagine" never takes you to the surprise 
levels that reality will. If you count on certain kind of user input, 
you then also count on a failure on the worst possible situation. A 
potential client could for example paste in text copied from an email 
program which shows headers of forwarded mails (as my T-bird set up 
does). And if you rely on users not submitting "Content-Type:" in the 
message, I can tell you that the most important user ever, the one with 
a billion spare dollars to invest on your client, will inevitably paste 
"Content-Type:" in there...

Incidentally, it seems that checking just one field is enough to tell 
men from bots:

Kasimir K scribeva in 2005-11-19 12:01:
> As all injection bots I've seen so far populate all fields with bogus 
> content, so for now I'm checking the submit value:
> In the form:
> <input type="submit" name="send" value="send">
> In PHP:
> if ($_POST['send'] != 'send') { ...
>     // do what you do with these attempts
>     // and some Shakespeare for the bot to enjoy - "To die, to sleep;"
>     sleep(600);
>     die();

A human user never changes the value of the submit button. Since I 
started using that, not a single bad mail anymore.

But even if that would be sufficient, I still do this to all fields 
going to the header:

preg_replace('/\n|\r/m', '', stripslashes($_POST['email']));

So if bot tries as email address this:
mail at example.com
Bcc: mail at example.org

it will become:
mail at example.comBcc: mail at example.org

so the attack is prevented.


More information about the thelist mailing list