[thelist] injection attacks on php contact form
Garth Hagerman
hagerman at mcn.org
Tue Nov 29 17:27:13 CST 2005
Hi everybody-
I have a simple contact form, using php and its mail() function, which
I use on several sites (with modifications for the needs of the
particular site). Over the past few months, I've been getting
increasing amounts of gibberish emails from it. After some Googling and
reading, I have learned that these are injection attacks; bad guys are
using my contact form for their own nefarious ends. To stop them, I've
adopted a mutli-pronged attack:
1. A graphic password that only a human user should be able to read.
2. The processing script uses eregi() to look for "\n", "\r",
"Content-Type:", and "MIME-Version:" in the input data. If any of those
are found, it doesn't send the email.
3. The processing script checks for a blank user email address or one
from the site's domain. There has always been a standard Javascript on
the form which checks for credible email addresses, but the bad guys
have been getting around that.
4. Limits on the length of subject and user email fields. The body of
the message can still be as long as necessary.
My questions: does this seem adequate? Are there any known attack
methods that would be likely to get through these checks? Is it
overkill? Might some legitimate inquiries be lost through the security
measures?
Thanks in advance-
Garth
More information about the thelist
mailing list