Re: Securing an Email script
- From: "Sanders Kaufman" <bucky@xxxxxxxxxxx>
- Date: Sat, 27 Oct 2007 19:27:42 GMT
"Bill H" <someone@xxxxxxxxxxxxxx> wrote in message
news:VradnVdP25-dFL7anZ2dnUVZ_rCtnZ2d@xxxxxxxxxxxxxx
I've changed our web site to use a simple PHP script to send a demo
request to our sales office. We use Postfix and everything is set up
properly and works fine. I've been informed there are some security
issues to review.
Since you do ZERO checking on the values it's nothing BUT security issues.
You should never pass user-submitted data to mail or data bases without
validating it.
The script looks like:
<html>
<head><title>PHP Mail Sender</title></head>
<body>
<?php
/* Pre-defined script variables. */
/* $eol = "\r\n"; */
$eol = "\n";
$mailto = 'sales@xxxxxxxxxxxx';
$mailfrom = 'webserver@xxxxxxxxxxxx';
$subject = 'Company Demo Request';
/* Initialize a clean array to replace $_POST with clean data */
$name = $_POST['name'];
$title = $_POST['name'];
$company = $_POST['name'];
$email = $_POST['name'];
$phone = $_POST['name'];
$message = $_POST['name'];
/* Build HTML $salesmessage variable to pass to mail script */
$salesmessage = "<HTML><HEAD></HEAD><BODY>" . $eol;
$salesmessage .= "The following information comes from the company web
site<BR>".$eol;
$salesmessage .= "demonstration link.<BR><BR>".$eol;
$salesmessage .= "<TABLE cols='2'>".$eol;
$salesmessage .= "<TR><TD style='color:blue'>Company Name:
</TD><TD>". $company ."</TD></TR>".$eol;
$salesmessage .= "<TR><TD style='color:blue'>Contact Name:
</TD><TD>". $name ."</TD></TR>".$eol;
$salesmessage .= "<TR><TD style='color:blue'>Contact Title:
</TD><TD>". $title ."</TD></TR>".$eol;
$salesmessage .= "<TR><TD style='color:blue'>Contact Email:
</TD><TD>". $email ."</TD></TR>".$eol;
$salesmessage .= "<TR><TD style='color:blue'>Contact Phone:
</TD><TD>". $phone ."</TD></TR>".$eol;
$salesmessage .= "</TABLE><BR>" . $eol;
$salesmessage .= $message . $eol;
$salesmessage .= "</BODY></HTML>" . $eol;
/* To send HTML mail, the Content-type header must be set */
$headers = 'MIME-Version: 1.0' . $eol;
$headers .= 'Content-type: text/html; charset=iso-8859-1' . $eol;
/* Additional header information */
$headers .= 'To: Sales <' . $mailto . '>' . $eol;
$headers .= 'From: ' . 'AsiWeb <' . $mailfrom . '>' . $eol . $eol;
/* PHP form validation: the script checks that the Email field contains a
valid email address
and the Subject field isn't empty. preg_match performs a regular
expression match. It's a
very powerful PHP function to validate form fields and other strings -
see PHP manual for
details. */
if ($email == "") {
echo "<script>alert('Invalid or missing email address')</script>";
echo "<script>history.back(1)</script>";
} elseif ($name == "") {
echo "<script>alert('Invalid or missing name')</script>";
echo "<script>history.back(1)</script>";
} elseif ($company == "") {
echo "<script>alert('Invalid or missing company')</script>";
echo "<script>history.back(1)</script>";
/* Sends the mail and outputs the "Thank you" string if the mail is
successfully sent, or the
error string otherwise. */
} elseif (mail($mailto, $subject, $salesmessage, $headers)) {
echo "<script>";
echo "self.location='../demo_response.html';";
echo "</script>";
} else {
echo "<script>alert('Cannot send email to $mailto')</script>";
echo "<script>history.back(1)</script>";
}
?>
</body>
</html>
The main issue I'm wondering about is if I control the to and from address
and header information for the mail, as I do above, is it possible to
inject something else into the email to hijack the mail server?
Thanks,
Bill
.
- Follow-Ups:
- Re: Securing an Email script
- From: shimmyshack
- Re: Securing an Email script
- From: Michael Fesser
- Re: Securing an Email script
- References:
- Securing an Email script
- From: Bill H
- Securing an Email script
- Prev by Date: Re: Need scroller that reads a php file
- Next by Date: Re: Need scroller that reads a php file
- Previous by thread: Securing an Email script
- Next by thread: Re: Securing an Email script
- Index(es):
Relevant Pages
|
|
