Re: My contact form is not emailed to me

On 4/19/2011 12:33 AM, P E Schoen wrote:
"Jerry Stuckle" wrote in message news:ioito7$1r5$1@xxxxxxxxxxxxxxxx

Just remember - never trust ANYTHING from the user. You may have
email addresses hardcoded into your forum. But there is NOTHING
which says the request has to come from YOUR form. They can make
up any form they want and send whatever data they want to your page.

I realize that, but the authorized names and emails are hard coded in
the PHP script which is invoked from the HTML form using POST variables.
Of course, a hacker could figure that out and use his own form to try to
access the script for mass emailing or whatever, but he would not get
past the authentication without somehow knowing the names and addresses,
and then also the password.


Which isn't that hard if you aren't using secure socket layer (https:...).

And I don't use htmlpurifier, but I would be very surprised if they
were to take out stuff which could be used to make your site a spam
relay. After all, things like newline characters are quite valid input
values. It's how they are used which makes a difference. And
htmlpurifier doesn't know how you're going to use it.

The headers are pretty much hard-coded as well, except for including the
name and email address of the user in the subject. Since they both must
pass strict authentication, additional malevolent headers cannot be
injected there. Everything else is formatted in the body of the message,
which is passed through the purifier.


But the subject and from headers are NOT being properly authenticated in the code you posted earlier.

And finally - "only a small group of trusted members" is one of the
most famous lines used by people who got their website hacked.
That may be your intent. But hackers are good at getting around
restrictions, especially if you're not sure of what you're doing.

I freely admit to not knowing all (or even most) of the "gotchas", but
without lots of experience or extensive study of the subject, I don't
know how to determine if what I have is "safe". I could probably submit
the code to someone like you (probably for a fee), to review the code
and fix the security leaks, or maybe I could find a benevolent hacker to
attempt to hack the site.


That's where you need to study and learn. It isn't that hard, but it does take some studying.

Sure, you can hire someone to check your code - but you'll be much better off reading and learning on your own so you can write secure code.

Coding publicly available websites isn't that hard - but it does take care to ensure they are secure.

What would be really useful would be a sort of "verifier" that would
perform the usual attempts and then report on the degree of
vulnerability. Is such a service available? I think it would be worth
even a moderate "pay per view" of a dollar or two to obtain such a
security risk report. I know that I would make good use of it, and it
would also be helpful to the OP. My own site is being built on a
volunteer basis for a non-profit organization (Sierra Club Greater
Baltimore Group), so our funds are limited. I am actually hosting their
site on my own server, because the portion of the National site that I
am authorized to access does not have CGI capability.

Thanks,

Paul

There are way too many ways a hacker can get in for a verifier to try to hack your site. And hackers come up with new ways every day. It would be even harder to keep up with ways of hacking sites than it is for antivirus manufacturers to keep ahead of virus makers.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@xxxxxxxxxxxxx
==================
.

Relevant Pages

  • Re: Strong Name and authentication
    ... but I'm not sure how a hacker would be able to ... won't be able to make a second hop to my remote object. ... I'd love to use an identity-based authentication model but I ... >> I want to ensure that only some assemblies will be able to call my ...
    (microsoft.public.dotnet.framework.remoting)
  • Re: What to do if Cisco router & switches got hacked ?
    ... You should probably be configuring your Cisco devices to use RADIUS and ... Cisco IOS's weakest point is probably it's authentication. ... you need good qualifications to go hacker hunting. ...
    (Security-Basics)
  • Re: Wireless security
    ... exchange of a passcode and/or authentication by me, so the would be hacker didn't get far. ... Spoilsport. ... How are the police meant to earn a living if people prevent crime themselves? ...
    (uk.business.agriculture)
  • Re: Wireless security
    ... exchange of a passcode and/or authentication by me, so the would be hacker didn't get far. ... Spoilsport. ... How are the police meant to earn a living if people prevent crime themselves? ...
    (uk.business.agriculture)
  • Re: My contact form is not emailed to me
    ... but the authorized names and emails are hard coded in the PHP script which is invoked from the HTML form using POST variables. ... Of course, a hacker could figure that out and use his own form to try to access the script for mass emailing or whatever, but he would not get past the authentication without somehow knowing the names and addresses, and then also the password. ... Since they both must pass strict authentication, additional malevolent headers cannot be injected there. ... I think it would be worth even a moderate "pay per view" of a dollar or two to obtain such a security risk report. ...
    (comp.lang.php)