Re: query string passing woes........ help... please....


"J.O. Aho" <user@xxxxxxxxxxx> wrote in message
news:54lvp3F211sdiU1@xxxxxxxxxxxxxxxxxxxxx
| rcoan@xxxxxxxxxxxxxxxxxx wrote:
| >>> You form as it stands can
| >>> be used to spam anyone.
| >
| > Actually I don't really see a way of it being used to send spam to
| > anyone really. Unless they actually key in the query string. The
| > email address that's being passed via the query string is from a
| > database of email addresses that are location specific. In other
| > words these people are expecting the emails and for there to be some
| > junk mail possibly. So I'm not too worried about the spam issue as of
| > right now but I will keep an eye out for it. Thanks.
|
| The problem is if you allow people send a "From" address with the form,
| as there isn't any real from argument in the mail function, you are
| instead using the mail header directly and then you can add other things
| like bcc/cc to the header and that way send out mail to more than one
| person at the time.
|
| It don't hurt to check all variables used in the mail function, if
| detecting header injection, then abort the mailing (easy check is to
| compare the size of the variable before and after removing all \r\n, if
| the same no header injection was attempted, otherwise it's a try to spam).

easy yes, but secure no. it is best to not take half measures when
programming anything, especially security. something like this is a far more
appropriate step:

$emailInput = array($to, $from, $cc, $bcc, $subject, $message);
$injections = array('to', 'from', 'cc', 'bcc');
foreach ($emailInput as $input)
{
foreach ($injections as $injection)
{
$input = preg_replace("/n?" . $injection . "\s*?:.*?\n/i", '', $input);
}
}

now you have a configurable, manageable means of stripping out malicious
header content by the input(s) supplied...just by changing either/both
arrays. the emailInput array is normally just going to have a subject and a
message/comment that has to be analysed.

cheers


.

Relevant Pages

  • Re: Firewall suggestion?
    ... > I have a customer that is using Exchange 5.5 behind a simple firewall. ... > server by trying to use it as a Spam relay. ... The target hosts must be ... If this header is set, ...
    (comp.security.firewalls)
  • bogofilte-0.15.4
    ... Bogofilter is a mail filter that classifies mail as spam or ham ... Bogofilter is run by an MDA script to classify an incoming message as ... * Additional header line tagging as suggested by Michael O'Reilly. ... Added BOGOTEST environment variable to enable flex debugging. ...
    (comp.os.linux.announce)
  • bogofilter 0.15.10 available
    ... Bogofilter is a mail filter that classifies mail as spam or ham ... Bogofilter is run by an MDA script to classify an incoming message as ... your token database to take advantage of header line tagging which was ... Revise flex rule for encoded text to reduce program size. ...
    (comp.os.linux.announce)
  • FAQ: Canonical list of questions Beavis refuses to answer (V1.40) (was Re: Fixing mangled mbox From
    ... misdated 'From ' header fields. ... His response, if any, usually consists of replying to the parent post with a loud proclamation that his Usenet-reading software runs a magical filter that automatically identifies anyone who's making fun of him, and hides those offensive posts. ... If spammers avoid forging real E-mail addresses on spam, then where do all these bounces everyone reports getting come from? ...
    (comp.mail.misc)
  • bogofilter-0.15.5 - New Current Release
    ... Bogofilter is a mail filter that classifies mail as spam or ham ... Bogofilter is run by an MDA script to classify an incoming message as ... The newly expanded tagging of header line tokens continues the effort to ...
    (comp.os.linux.announce)