| Re: My contact form is not emailed to me [message #173619 is a reply to message #173579] |
Wed, 20 April 2011 17:46   |
P E Schoen
Messages: 86
Registered: January 2011
Karma:
|
Member |
|
|
"Jerry Stuckle" wrote in message news:iojo5j$jpo$1(at)dont-email(dot)me...
On 4/19/2011 12:33 AM, P E Schoen wrote:
>> I realize that, but the authorized names and emails are hard coded in
>> the PHP script which is invoked from the HTML form using POST
>> variables. Of course, a hacker could figure that out and use his own
>> form to try to access the script for mass emailing or whatever, but he
>> would not get past the authentication without somehow knowing the
>> names and addresses, and then also the password.
> Which isn't that hard if you aren't using secure socket layer (https:...).
The only way I understand would be possible to do this is by listening to
the data over the network and identifying the CGI variables with that
information. I suppose that is possible if someone was using a public
network to access the PHP script. But I doubt that a hacker would want to
put in that much effort. The content is being used for public announcements
anyway, so the data is not sensitive.
>> The headers are pretty much hard-coded as well, except for including
>> the name and email address of the user in the subject. Since they both
>> must pass strict authentication, additional malevolent headers cannot
>> be injected there. Everything else is formatted in the body of the
>> message, which is passed through the purifier.
> But the subject and from headers are NOT being properly authenticated
> in the code you posted earlier.
The subject and from headers are as follows:
$subject = "Form data from {$in['Full_Name']}";
//This has been validated from a hard-coded list
$sender = "paul(at)example(dot)com";
$recipient= 'paul(at)example(dot)com' ;
mail( $recipient, $subject, $message, "From: $sender" );
I see that I have used my email address for both the sender and recipient.
I'm not really sure why I did that, but IIRC I was having problems and I
thought it was because the email was actually sent from my server's email
function and the sender had to match. So the subject is actually used to
indicate who had used the entry form.
> That's where you need to study and learn. It isn't that hard,
> but it does take some studying.
Yes, if this were a major part of what I do, then I'd have to do that. But I
have found that the people who submit activity listings do not even try to
make use of this, so I will probably just have to maintain the website
manually. It may be helpful to me to use this system, but otherwise it has
become mostly a learning experience, and that just in a small way. Most of
my time is spent on electronic engineering, PIC code, and Windows
application programming. And also checking out newsgroups such as this for
interesting discussions.
> Sure, you can hire someone to check your code - but you'll be
> much better off reading and learning on your own so you can
> write secure code.
> Coding publicly available websites isn't that hard - but it does
> take care to ensure they are secure.
> There are way too many ways a hacker can get in for a verifier to
> try to hack your site. And hackers come up with new ways every
> day. It would be even harder to keep up with ways of hacking
> sites than it is for antivirus manufacturers to keep ahead of
> virus makers.
I can see that, but maybe there are some common attack modes that could be
attempted to see how vulnerable a site may be. Even if it required human
interaction, at would be a valuable service that I would be willing to pay
for. It's difficult for a beginner with limited time and motivation to learn
all the methods of attack and the usual ways to reduce vulnerability.
Perhaps you could provide a link to the PHP code for a secure form mailing
application?
Thanks,
Paul
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]