[thelist] injection attacks on php contact form
Kasimir K
evolt at kasimir-k.fi
Thu Dec 1 04:47:08 CST 2005
Garth Hagerman scribeva in 2005-12-01 00:50:
> It seems much more likely that a legitimate message would have a colon
> than "Content-Type:" or "MIME-Version:" The only time I could see those
> as legitimate is in a technical context like this where those are
> legitimate terms for discussion. My clients are realtors, performing
> arts companies, and small businesses; it'd be a stretch to imagine
> those terms used in a legitimate inquiry.
I might have been a bit unclear with this one. The idea was *not* to
check *all* input fields for a colon - only those which will end up in
the header. Basically you don't have to filter the message body at all.
As a side note, "a stretch to imagine" never takes you to the surprise
levels that reality will. If you count on certain kind of user input,
you then also count on a failure on the worst possible situation. A
potential client could for example paste in text copied from an email
program which shows headers of forwarded mails (as my T-bird set up
does). And if you rely on users not submitting "Content-Type:" in the
message, I can tell you that the most important user ever, the one with
a billion spare dollars to invest on your client, will inevitably paste
"Content-Type:" in there...
Incidentally, it seems that checking just one field is enough to tell
men from bots:
Kasimir K scribeva in 2005-11-19 12:01:
> As all injection bots I've seen so far populate all fields with bogus
> content, so for now I'm checking the submit value:
> In the form:
> <input type="submit" name="send" value="send">
> In PHP:
> if ($_POST['send'] != 'send') { ...
> // do what you do with these attempts
> // and some Shakespeare for the bot to enjoy - "To die, to sleep;"
> sleep(600);
> die();
A human user never changes the value of the submit button. Since I
started using that, not a single bad mail anymore.
But even if that would be sufficient, I still do this to all fields
going to the header:
preg_replace('/\n|\r/m', '', stripslashes($_POST['email']));
So if bot tries as email address this:
mail at example.com
Bcc: mail at example.org
it will become:
mail at example.comBcc: mail at example.org
so the attack is prevented.
.k
More information about the thelist
mailing list