FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » My contact form is not emailed to me
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: My contact form is not emailed to me [message #173626 is a reply to message #173625] Thu, 21 April 2011 03:44 Go to previous messageGo to previous message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma:
Senior Member
On 4/20/2011 7:58 PM, P E Schoen wrote:
> "Jerry Stuckle" wrote in message news:ionh8d$qbc$1(at)dont-email(dot)me...
>
>> On 4/20/2011 1:46 PM, P E Schoen wrote:
>
>>> The only way I understand would be possible to do this is by listening
>>> to the data over the network and identifying the CGI variables with
>>> that information.
>
>> Which can be done a number of ways by a sniffer. You just have to
>> be in the right place.
>
>> For instance, it's not well publicized but in many residential
>> locations with cable, everyone in an neighborhood is on the same cable
>> - and
>> can see each others traffic with the right software.
>
> I have FIOS and a WiFi router, but I have no control over what potential
> users may have. However, I still don't think anyone would be that much
> interested in hacking this site. And I would assume that the only damage
> could be the use of the emailer for spam, but that seems very unlikely,
> and I don't think it even can be done using my script.
>

Famous last words by people who's sites got hacked.

>>> The subject and from headers are as follows:
>>
>>> $subject = "Form data from {$in['Full_Name']}";
>>> //This has been validated from a hard-coded list
>>> $sender = "paul(at)example(dot)com";
>>> $recipient= 'paul(at)example(dot)com' ;
>>> mail( $recipient, $subject, $message, "From: $sender" );
>
>> But your subject can still be a source of injection.
>
> I cannot see how that is possible. The authorization code at the front
> end requires the $in['Full_Name'] to be one of the authorized names
> hard-coded in an array. If it contains anything else, the script dies.
> So I can't see how anyone could inject anything malevolent.
>

Subject does not require an "authorized name". It an easily be used for
injection.

>> There is no excuse for writing insecure code, especially when it's
>> in the internet. How will your client feel if their ip gets
>> blacklisted - and even worse, their host cancels their account? It
>> does happen,
>> and it's serious.
>
> My "client" is just a small group of volunteers who may want to post
> notices of events to be available from the group's website. I am only
> using the Sierra Club National site to have a placeholder HTML page
> which redirects to the site I am hosting for them on my Dreamhost
> account. AFAIK, the email function resides on the dreamhost, and any
> emails sent would be my responsibility.
>

Which makes no difference. Hackers often look for sites like yours they
can use to spread their spam - because they are typically the least
secure due to attitudes like yours.

> Also, AIUI, the potential users of the site will only receive the HTML
> form on their local machine, and then the PHP script is accessed by
> means of POST. The user will receive an echo which either shows
> "Authentication Failed", or a formatted HTML page with the submitted
> information. The form itself also has a button which will allow the user
> to see the results of the EventProcessor script, which will have entered
> the information into a database and then produced updated web pages for
> past and current events or outings.
>

Not a problem for hackers - who use scripts to do all kinds of things.

>> An understanding of security concerns and care when programming
>> will do that much better than a verifier will.
>
> I understand a little more after reading
> http://www.damonkohler.com/2008/12/email-injection.html, and I think my
> code is secure against the attempts described there. If not, then I am
> missing something and I would appreciate an example that would prove it
> to be unsafe from attack.
>

As I said - your subject line is still open to hacking.

>>> Perhaps you could provide a link to the PHP code for a secure form
>>> mailing application?
>
>> Sorry, I write my own. I don't use much packaged software.
>
> Then it would be very helpful for casual users and beginners if you
> could provide at least some of the code you have created with a high
> level of security. But I also realize that perhaps that would reveal
> clues to a potential hacker. I would like to know more about
> vulnerabilities and safe coding practices, but at this point I just
> don't know how my site could be hacked unless someone gained access to
> authentication information, or was able to obtain the password for my
> website and upload malicious code or trash the files.
>

Others have tried to point you in the right direction, but you seem to
be uninterested in learning the necessary skills to create a secure website.

And it really isn't that hard for hackers to guess userids and passwords
- even easier if they can intercept your non-secure logins.

> Thanks,
>
> Paul
>


--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: doctype not found?
Next Topic: Re: Weird stuff
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Fri Nov 22 16:25:25 GMT 2024

Total time taken to generate the page: 0.04965 seconds