| Re: My contact form is not emailed to me [message #173571 is a reply to message #173567] |
Tue, 19 April 2011 04:33   |
P E Schoen
Messages: 86
Registered: January 2011
Karma:
|
Member |
|
|
"Jerry Stuckle" wrote in message news:ioito7$1r5$1(at)dont-email(dot)me...
> Just remember - never trust ANYTHING from the user. You may have
> email addresses hardcoded into your forum. But there is NOTHING
> which says the request has to come from YOUR form. They can make
> up any form they want and send whatever data they want to your page.
I realize that, but the authorized names and emails are hard coded in the
PHP script which is invoked from the HTML form using POST variables. Of
course, a hacker could figure that out and use his own form to try to access
the script for mass emailing or whatever, but he would not get past the
authentication without somehow knowing the names and addresses, and then
also the password.
> And I don't use htmlpurifier, but I would be very surprised if they
> were to take out stuff which could be used to make your site a spam
> relay. After all, things like newline characters are quite valid input
> values. It's how they are used which makes a difference. And
> htmlpurifier doesn't know how you're going to use it.
The headers are pretty much hard-coded as well, except for including the
name and email address of the user in the subject. Since they both must pass
strict authentication, additional malevolent headers cannot be injected
there. Everything else is formatted in the body of the message, which is
passed through the purifier.
> And finally - "only a small group of trusted members" is one of the
> most famous lines used by people who got their website hacked.
> That may be your intent. But hackers are good at getting around
> restrictions, especially if you're not sure of what you're doing.
I freely admit to not knowing all (or even most) of the "gotchas", but
without lots of experience or extensive study of the subject, I don't know
how to determine if what I have is "safe". I could probably submit the code
to someone like you (probably for a fee), to review the code and fix the
security leaks, or maybe I could find a benevolent hacker to attempt to hack
the site.
What would be really useful would be a sort of "verifier" that would perform
the usual attempts and then report on the degree of vulnerability. Is such a
service available? I think it would be worth even a moderate "pay per view"
of a dollar or two to obtain such a security risk report. I know that I
would make good use of it, and it would also be helpful to the OP. My own
site is being built on a volunteer basis for a non-profit organization
(Sierra Club Greater Baltimore Group), so our funds are limited. I am
actually hosting their site on my own server, because the portion of the
National site that I am authorized to access does not have CGI capability.
Thanks,
Paul
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]