Hi All, Some time ago, I posted details of how some of my PHP forms have been subjected to injection attacks. I thought that I'd closed the door on spammy, but now I'm not too sure and so turn to the community for more help.
There is some info on injection attacks at http://securephp.damonkohler.com/index.php/Email_Injection All my forms have predefined To:, Reply-To:, From:, and Subject: fields leaving only the body to be built by my scripts. Yet some attacks might have succeeded. To combat future attacks, I've created a function to check for the presence of additional recipients (actually, it's looking for "TO:" or "CC:" in the body cast to uppercase) and my script sends a warning to me and returns an error to the user if these are found. Some attacks got around this measure by encoding the injected text. For example, an attacker might inject a BCC: field by encoding it as %62%63% 63%3A. Following advice from this list, I ammended the function by using urldecode() to present only plain text to the filter. Then I noticed that some attacks got through and all those that succeeded contained an injected CONTENT-TYPE: header, so I added a check for that. However, I'm still getting messages that should be trapped. Here's the function so far: function CheckForAddressInjection ($str) { $tempstr = strtoupper(urldecode($str)); return ( strpos($tempstr,"TO:") or strpos($tempstr,"CC:") or strpos($tempstr,"CONTENT-TYPE:") or strpos($tempstr, "SUBJECT:") ); } (please excuse the wrapping! Here's the injected subject header from an attack that might have succeeded: Subject: he Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: then it bcc: [EMAIL PROTECTED] 65bd1a0d3f05b9823bf64c83c7a5ded7 . This was injected into the body, and passed to my function. It has two strings that should have triggered the trap - yet my function didn't pick it up. Help!!!! TIA, -- Geoff Lane Cornwall, UK ------------------------ Yahoo! Groups Sponsor --------------------~--> Fair play? Video games influencing politics. Click and talk back! http://us.click.yahoo.com/T8sf5C/tzNLAA/TtwFAA/CefplB/TM --------------------------------------------------------------------~-> The php_mysql group is dedicated to learn more about the PHP/MySQL web database possibilities through group learning. Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/php_mysql/ <*> To unsubscribe from this group, send an email to: [EMAIL PROTECTED] <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/
