Steffen Kaiser wrote:
You've wrote that you've disabled CGI --
Dunno, but I wouldn't weight PHP more secure than "general" CGI ??
With header injection attacks, it doesn't really matter whether the
target is PHP or CGI. It's a matter of how the message actually gets
sent. With PHP's mail function, you build up the headers in a single
string and the whole thing is passed to sendmail. Any To:, Cc:, or Bcc:
fields found in that list are added to the recipients. A CGI script
that called sendmail with the -t option would have the same problem:
If the script takes user input for any header, it's possible for an
attacker to pass in something like
"I have a question\nBcc: [EMAIL PROTECTED]"
and insert extra headers into the outgoing message. If they add "\n\n"
they can even insert their own message body.
This could probably be avoided if PHP's mail function used some sort of
structure for the headers where each header was a separate string, but
as things are you need to sanitize any user-supplied data that you use
in any header.
One way you can test your own scripts for this is to create a copy of
your form and replace all your <input> and <select> elements with
<textarea> (even checkboxes and radio buttons). That way you can try
passing the script multi-line fields and see whether it accepts the
extra lines, strips them out, or converts the newlines to spaces and
wraps the extra-long headers.
--
Kelson Vibber
SpeedGate Communications <www.speed.net>
_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list [email protected]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
