| Re: My contact form is not emailed to me [message #173622 is a reply to message #173619] |
Wed, 20 April 2011 20:55   |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma:
|
Senior Member |
|
|
On 4/20/2011 1:46 PM, P E Schoen wrote:
> "Jerry Stuckle" wrote in message news:iojo5j$jpo$1(at)dont-email(dot)me...
>
> On 4/19/2011 12:33 AM, P E Schoen wrote:
>
>>> I realize that, but the authorized names and emails are hard coded in
>>> the PHP script which is invoked from the HTML form using POST
>>> variables. Of course, a hacker could figure that out and use his own
>>> form to try to access the script for mass emailing or whatever, but he
>>> would not get past the authentication without somehow knowing the
>>> names and addresses, and then also the password.
>
>> Which isn't that hard if you aren't using secure socket layer
>> (https:...).
>
> The only way I understand would be possible to do this is by listening
> to the data over the network and identifying the CGI variables with that
> information. I suppose that is possible if someone was using a public
> network to access the PHP script. But I doubt that a hacker would want
> to put in that much effort. The content is being used for public
> announcements anyway, so the data is not sensitive.
>
Which can be done a number of ways by a sniffer. You just have to be in
the right place.
For instance, it's not well publicized but in many residential locations
with cable, everyone in an neighborhood is on the same cable - and can
see each others traffic with the right software.
>>> The headers are pretty much hard-coded as well, except for including
>>> the name and email address of the user in the subject. Since they both
>>> must pass strict authentication, additional malevolent headers cannot
>>> be injected there. Everything else is formatted in the body of the
>>> message, which is passed through the purifier.
>
>> But the subject and from headers are NOT being properly authenticated
>> in the code you posted earlier.
>
> The subject and from headers are as follows:
>
> $subject = "Form data from {$in['Full_Name']}";
> //This has been validated from a hard-coded list
> $sender = "paul(at)example(dot)com";
> $recipient= 'paul(at)example(dot)com' ;
> mail( $recipient, $subject, $message, "From: $sender" );
>
> I see that I have used my email address for both the sender and
> recipient. I'm not really sure why I did that, but IIRC I was having
> problems and I thought it was because the email was actually sent from
> my server's email function and the sender had to match. So the subject
> is actually used to indicate who had used the entry form.
>
But your subject can still be a source of injection.
>> That's where you need to study and learn. It isn't that hard,
>> but it does take some studying.
>
> Yes, if this were a major part of what I do, then I'd have to do that.
> But I have found that the people who submit activity listings do not
> even try to make use of this, so I will probably just have to maintain
> the website manually. It may be helpful to me to use this system, but
> otherwise it has become mostly a learning experience, and that just in a
> small way. Most of my time is spent on electronic engineering, PIC code,
> and Windows application programming. And also checking out newsgroups
> such as this for interesting discussions.
>
There is no excuse for writing insecure code, especially when it's in
the internet. How will your client feel if their ip gets blacklisted -
and even worse, their host cancels their account? It does happen, and
it's serious.
>> Sure, you can hire someone to check your code - but you'll be
>> much better off reading and learning on your own so you can
>> write secure code.
>
>> Coding publicly available websites isn't that hard - but it does
>> take care to ensure they are secure.
>
>> There are way too many ways a hacker can get in for a verifier to
>> try to hack your site. And hackers come up with new ways every
>> day. It would be even harder to keep up with ways of hacking
>> sites than it is for antivirus manufacturers to keep ahead of
>> virus makers.
>
> I can see that, but maybe there are some common attack modes that could
> be attempted to see how vulnerable a site may be. Even if it required
> human interaction, at would be a valuable service that I would be
> willing to pay for. It's difficult for a beginner with limited time and
> motivation to learn all the methods of attack and the usual ways to
> reduce vulnerability.
>
An understanding of security concerns and care when programming will do
that much better than a verifier will.
> Perhaps you could provide a link to the PHP code for a secure form
> mailing application?
>
Sorry, I write my own. I don't use much packaged software.
> Thanks,
>
> Paul
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]