Re: [PHP] php 'mail()' security
There is no substitute for good data verification such as strip_tags() or
some regular expressions to limit valid input. I also would recomend
checking the referrer to be sure someone doesn't hijack you form and try to
modify it and submit it from a remote location. Here is an example:
if (validReferrer() === false)
die(invalid referrer);
function validReferrer()
{
$_valid_referrers =
array(www.yoursite.com,www2.yoursite.com,yoursite.com);
$referer = str_replace('//', '/', $_SERVER['HTTP_REFERER']);
$ref = explode('/', $referer);
if ( in_array($ref[1], $_valid_referrers) )
return true;
else
return false;
}
Jim Grill
Support
Web-1 Hosting
http://www.web-1hosting.net
- Original Message -
From: Dennis Gearon [EMAIL PROTECTED]
To: Bob Lockie [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Saturday, July 27, 2002 10:54 PM
Subject: Re: [PHP] php 'mail()' security
What I meant was, how to sanitize the input on the forms so that
malicious stuff cannot be put as commands, etc. in the email address, or
body, or 'extra' field of the 'mail()' function in PHP.
--
-
Joy is just a thing (to be).. raised on,
Love is just the way to Live and Die,
John Denver.
-
He lost a friend, but kept his Memory (also John Denver),
Thank you...John Corones...my friend always.
-
Look lovingly upon the present,
for it holds the only things that are forever true.
-
Sincerely, Dennis Gearon (Kegley)
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] php 'mail()' security
HTTP_REFERRER can be spoofed quite easily with some browsers.
The best way to handle this is to provide as much of your own data as
possible, and validate anything you do end up using from the user.
For instance, use your own subject, make sure the To: address comes from
you (a file or database, whatever), etc... Make sure anything coming
from the user, that you put into the headers, subject, from, reply-to,
etc... do not have any line breaks. A simple str_replace or something to
remove them, or pop up an error if they are there, will work.
The less user data you can use the better. It gives them less of a
chance to insert extra headers, which is pretty much the only threat. If
there's a possibility of the email not being shown as plain text, then
you'll want to use striptags() like others mentioned.
---John Holmes...
-Original Message-
From: Tech Support [mailto:[EMAIL PROTECTED]]
Sent: Sunday, July 28, 2002 10:57 AM
To: Dennis Gearon; Bob Lockie
Cc: [EMAIL PROTECTED]
Subject: Re: [PHP] php 'mail()' security
There is no substitute for good data verification such as strip_tags()
or
some regular expressions to limit valid input. I also would recomend
checking the referrer to be sure someone doesn't hijack you form and
try
to
modify it and submit it from a remote location. Here is an example:
if (validReferrer() === false)
die(invalid referrer);
function validReferrer()
{
$_valid_referrers =
array(www.yoursite.com,www2.yoursite.com,yoursite.com);
$referer = str_replace('//', '/', $_SERVER['HTTP_REFERER']);
$ref = explode('/', $referer);
if ( in_array($ref[1], $_valid_referrers) )
return true;
else
return false;
}
Jim Grill
Support
Web-1 Hosting
http://www.web-1hosting.net
- Original Message -
From: Dennis Gearon [EMAIL PROTECTED]
To: Bob Lockie [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Saturday, July 27, 2002 10:54 PM
Subject: Re: [PHP] php 'mail()' security
What I meant was, how to sanitize the input on the forms so that
malicious stuff cannot be put as commands, etc. in the email
address, or
body, or 'extra' field of the 'mail()' function in PHP.
--
-
Joy is just a thing (to be).. raised on,
Love is just the way to Live and Die,
John Denver.
-
He lost a friend, but kept his Memory (also John Denver),
Thank you...John Corones...my friend always.
-
Look lovingly upon the present,
for it holds the only things that are forever true.
-
Sincerely, Dennis Gearon (Kegley)
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] php 'mail()' security
There is no substitute for good data verification such as strip_tags() or
some regular expressions to limit valid input. I also would recomend
checking the referrer to be sure someone doesn't hijack you form and try to
modify it and submit it from a remote location. Here is an example:
if (validReferrer() === false)
die(invalid referrer);
function validReferrer()
{
$_valid_referrers =
array(www.yoursite.com,www2.yoursite.com,yoursite.com);
$referer = str_replace('//', '/', $_SERVER['HTTP_REFERER']);
$ref = explode('/', $referer);
if ( in_array($ref[1], $_valid_referrers) )
return true;
else
return false;
}
That is a good idea.
$_SERVER['HTTP_REFERER'] is the web server identifier, right?
My web server is 10.0.0.5 from the internal LAN.
I am hesitant to allow HTTP_REFERERs from 10.0.0.5 because it seems to me that it
would be easy enough to configure a strange box
to imitate 10.0.0.5.
Can I somehow check that the HTTP_REFERER = localhost?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] php 'mail()' security
I think you are looking for something different.
do this:
print pre;
print_r($_SERVER);
print /pre;
You will see a whole bunch of useful globals. As a matter of fact, try this
one out too:
print pre;
print_r($GLOBALS);
print /pre;
Jim Grill
Support
Web-1 Hosting
http://www.web-1hosting.net
- Original Message -
From: Bob Lockie [EMAIL PROTECTED]
To: Dennis Gearon [EMAIL PROTECTED]; Tech Support
[EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Sunday, July 28, 2002 1:19 PM
Subject: Re: [PHP] php 'mail()' security
There is no substitute for good data verification such as strip_tags() or
some regular expressions to limit valid input. I also would recomend
checking the referrer to be sure someone doesn't hijack you form and try
to
modify it and submit it from a remote location. Here is an example:
if (validReferrer() === false)
die(invalid referrer);
function validReferrer()
{
$_valid_referrers =
array(www.yoursite.com,www2.yoursite.com,yoursite.com);
$referer = str_replace('//', '/', $_SERVER['HTTP_REFERER']);
$ref = explode('/', $referer);
if ( in_array($ref[1], $_valid_referrers) )
return true;
else
return false;
}
That is a good idea.
$_SERVER['HTTP_REFERER'] is the web server identifier, right?
My web server is 10.0.0.5 from the internal LAN.
I am hesitant to allow HTTP_REFERERs from 10.0.0.5 because it seems to me
that it would be easy enough to configure a strange box
to imitate 10.0.0.5.
Can I somehow check that the HTTP_REFERER = localhost?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] php 'mail()' security
No, but thanks, the other input is more towards what I was looking for.
I want to take in an email address, and various other fields. Then, send
an email using 'mail()' with the other fields as the 'body', and the
email address as the 'reply_to' address, to someone in my company. That
way, they can read the submitted information, and then just hit 'reply'
on their mail program when they want to comment on the material.
Tech Support [EMAIL PROTECTED] wrote:
I think you are looking for something different.
do this:
print pre;
print_r($_SERVER);
print /pre;
You will see a whole bunch of useful globals. As a matter of fact, try this
one out too:
print pre;
print_r($GLOBALS);
print /pre;
Jim Grill
Support
Web-1 Hosting
http://www.web-1hosting.net
- Original Message -
From: Bob Lockie [EMAIL PROTECTED]
To: Dennis Gearon [EMAIL PROTECTED]; Tech Support
[EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Sunday, July 28, 2002 1:19 PM
Subject: Re: [PHP] php 'mail()' security
There is no substitute for good data verification such as strip_tags() or
some regular expressions to limit valid input. I also would recomend
checking the referrer to be sure someone doesn't hijack you form and try
to
modify it and submit it from a remote location. Here is an example:
if (validReferrer() === false)
die(invalid referrer);
function validReferrer()
{
$_valid_referrers =
array(www.yoursite.com,www2.yoursite.com,yoursite.com);
$referer = str_replace('//', '/', $_SERVER['HTTP_REFERER']);
$ref = explode('/', $referer);
if ( in_array($ref[1], $_valid_referrers) )
return true;
else
return false;
}
That is a good idea.
$_SERVER['HTTP_REFERER'] is the web server identifier, right?
My web server is 10.0.0.5 from the internal LAN.
I am hesitant to allow HTTP_REFERERs from 10.0.0.5 because it seems to me
that it would be easy enough to configure a strange box
to imitate 10.0.0.5.
Can I somehow check that the HTTP_REFERER = localhost?
-
Joy is just a thing (to be).. raised on,
Love is just the way to Live and Die,
John Denver.
-
He lost a friend, but kept his Memory (also John Denver),
Thank you...John Corones...my friend always.
-
Look lovingly upon the present,
for it holds the only things that are forever true.
-
Sincerely, Dennis Gearon (Kegley)
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] php 'mail()' security
On Sat, 27 Jul 2002 17:31:16 -0700, Dennis Gearon wrote: How can I make my form which entered by a user, then sent to a company employee, secure, not vulnerable attack? -- - Joy is just a thing (to be).. raised on, Love is just the way to Live and Die, John Denver. - He lost a friend, but kept his Memory (also John Denver), Thank you...John Corones...my friend always. - Look lovingly upon the present, for it holds the only things that are forever true. - Sincerely, Dennis Gearon (Kegley) Setup SSL on your web server. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] php 'mail()' security
What I meant was, how to sanitize the input on the forms so that malicious stuff cannot be put as commands, etc. in the email address, or body, or 'extra' field of the 'mail()' function in PHP. -- - Joy is just a thing (to be).. raised on, Love is just the way to Live and Die, John Denver. - He lost a friend, but kept his Memory (also John Denver), Thank you...John Corones...my friend always. - Look lovingly upon the present, for it holds the only things that are forever true. - Sincerely, Dennis Gearon (Kegley) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] PHP mail() security hole on 4.0.5+
-Original Message- From: Michael Geier, CDM Systems Admin [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 19, 2001 9:39 AM To: PHP Mailing List Subject: [PHP] PHP mail() security hole on 4.0.5+ http://www.net-security.org/text/bugs/995534103,28541,.shtml Anyone have suggestions on a quick fix for this? Is there some sort of validation on the user input that should be done? TIA Kirk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] PHP mail() security hole on 4.0.5+
-Original Message- From: Michael Geier, CDM Systems Admin [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 19, 2001 9:39 AM To: PHP Mailing List Subject: [PHP] PHP mail() security hole on 4.0.5+ http://www.net-security.org/text/bugs/995534103,28541,.shtml Anyone have suggestions on a quick fix for this? Is there some sort of validation on the user input that should be done? Note that it is only a problem on shared servers where safe-mode is turned on. For those servers a really quick-fix is to disable the mail function in your php.ini file. A better fix is to apply this patch: http://cvs.php.net/viewcvs.cgi/php4/ext/standard/mail.c.diff?r1=texttr1=1.33r2=texttr2=1.38diff_format=u -Rasmus -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
