| Re: My contact form is not emailed to me [message #173579 is a reply to message #173571] |
Tue, 19 April 2011 10:29   |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma:
|
Senior Member |
|
|
On 4/19/2011 12:33 AM, P E Schoen wrote:
> "Jerry Stuckle" wrote in message news:ioito7$1r5$1(at)dont-email(dot)me...
>
>> Just remember - never trust ANYTHING from the user. You may have
>> email addresses hardcoded into your forum. But there is NOTHING
>> which says the request has to come from YOUR form. They can make
>> up any form they want and send whatever data they want to your page.
>
> I realize that, but the authorized names and emails are hard coded in
> the PHP script which is invoked from the HTML form using POST variables.
> Of course, a hacker could figure that out and use his own form to try to
> access the script for mass emailing or whatever, but he would not get
> past the authentication without somehow knowing the names and addresses,
> and then also the password.
>
Which isn't that hard if you aren't using secure socket layer (https:...).
>> And I don't use htmlpurifier, but I would be very surprised if they
>> were to take out stuff which could be used to make your site a spam
>> relay. After all, things like newline characters are quite valid input
>> values. It's how they are used which makes a difference. And
>> htmlpurifier doesn't know how you're going to use it.
>
> The headers are pretty much hard-coded as well, except for including the
> name and email address of the user in the subject. Since they both must
> pass strict authentication, additional malevolent headers cannot be
> injected there. Everything else is formatted in the body of the message,
> which is passed through the purifier.
>
But the subject and from headers are NOT being properly authenticated in
the code you posted earlier.
>> And finally - "only a small group of trusted members" is one of the
>> most famous lines used by people who got their website hacked.
>> That may be your intent. But hackers are good at getting around
>> restrictions, especially if you're not sure of what you're doing.
>
> I freely admit to not knowing all (or even most) of the "gotchas", but
> without lots of experience or extensive study of the subject, I don't
> know how to determine if what I have is "safe". I could probably submit
> the code to someone like you (probably for a fee), to review the code
> and fix the security leaks, or maybe I could find a benevolent hacker to
> attempt to hack the site.
>
That's where you need to study and learn. It isn't that hard, but it
does take some studying.
Sure, you can hire someone to check your code - but you'll be much
better off reading and learning on your own so you can write secure code.
Coding publicly available websites isn't that hard - but it does take
care to ensure they are secure.
> What would be really useful would be a sort of "verifier" that would
> perform the usual attempts and then report on the degree of
> vulnerability. Is such a service available? I think it would be worth
> even a moderate "pay per view" of a dollar or two to obtain such a
> security risk report. I know that I would make good use of it, and it
> would also be helpful to the OP. My own site is being built on a
> volunteer basis for a non-profit organization (Sierra Club Greater
> Baltimore Group), so our funds are limited. I am actually hosting their
> site on my own server, because the portion of the National site that I
> am authorized to access does not have CGI capability.
>
> Thanks,
>
> Paul
There are way too many ways a hacker can get in for a verifier to try to
hack your site. And hackers come up with new ways every day. It would
be even harder to keep up with ways of hacking sites than it is for
antivirus manufacturers to keep ahead of virus makers.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]