Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

PHP mail() e-mail injection security Issues.

Options
  • 14-03-2006 6:10pm
    #1
    smeggle
    Closed Accounts Posts: 519 ✭✭✭


    Had a heads up of my host recently in relation to this issue. Thought it best to pass it on for those using unsecured php() e0mail forms within there systems.

    My hosts had to disable over 20 sites untill the problem was rectified due to this issue...

    Part of original message

    Over the last few weeks we have seen many unsecure contact form / feedback
    form / Refer and Tell a friend type forms been used to send out spam because
    of e-mail injection vulnerability. Many of these forms do not have any
    validation on user input data.

    For more info they give me this link

    http://securephp.damonkohler.com/index.php/Email_Injection

    I was using a couple of these forms though only one was insecure and this has not been rectified with a replacement system (formmail).

    Just thought I'd pass it on to those who are unaware of the issue..

    :)


Comments

  • Options
    #2
    Serbian
    Registered Users Posts: 2,157 ✭✭✭Serbian


    Yeah, that link was posted a while back but it's always good to remind people about these things.


  • Options
    #3
    squibs
    Closed Accounts Posts: 975 ✭✭✭squibs


    I fell victim to this with the first site I did. I was getting all sorts of junk in my inbox - up to 300 mails a day, and hadn't a notion what was causing it. Then heard about this attack and added some parsing logic for my contact form page. Problem cured overnight.


  • Options
    #4
    Sleepy
    Registered Users Posts: 24,257 ✭✭✭✭Sleepy


    Anyone know if there's a GNU licenced webform out there which secures against this threat?


  • Options
    #5
    Serbian
    Registered Users Posts: 2,157 ✭✭✭Serbian


    Sleepy wrote:
    Anyone know if there's a GNU licenced webform out there which secures against this threat?

    This contact form claims it is spam-proof. There are also a load more scripts on that site that will probably fit your needs.


  • Options
    #6
    impr0v
    Registered Users Posts: 2,647 ✭✭✭impr0v


    I've had a problem with this recently with an ASP form, have substituted 'MIME' 'Content' 'bcc' and any carriage returns out of the submitted text now.

    The attempted injection was into a 'name' form field which I had limited to 30 characters, yet a whole body of text was returned from this field. How is this possible?


  • Advertisement
  • Options
    #7
    daymobrew
    Registered Users Posts: 6,511 ✭✭✭daymobrew


    impr0v wrote:
    The attempted injection was into a 'name' form field which I had limited to 30 characters, yet a whole body of text was returned from this field. How is this possible?
    Had you limited it in the HTML? If so the person simply submitted the data without using your form e.g with 'wget' (you can submit POST data from a string or a file).
    Client side validation is nice but it should never be a substitude for server side validation.


Advertisement