| Re: My contact form is not emailed to me [message #173625 is a reply to message #173622] |
Wed, 20 April 2011 23:58   |
P E Schoen
Messages: 86
Registered: January 2011
Karma:
|
Member |
|
|
"Jerry Stuckle" wrote in message news:ionh8d$qbc$1(at)dont-email(dot)me...
> On 4/20/2011 1:46 PM, P E Schoen wrote:
>> The only way I understand would be possible to do this is by listening
>> to the data over the network and identifying the CGI variables with
>> that information.
> Which can be done a number of ways by a sniffer. You just have to
> be in the right place.
> For instance, it's not well publicized but in many residential locations
> with cable, everyone in an neighborhood is on the same cable - and
> can see each others traffic with the right software.
I have FIOS and a WiFi router, but I have no control over what potential
users may have. However, I still don't think anyone would be that much
interested in hacking this site. And I would assume that the only damage
could be the use of the emailer for spam, but that seems very unlikely, and
I don't think it even can be done using my script.
>> The subject and from headers are as follows:
>
>> $subject = "Form data from {$in['Full_Name']}";
>> //This has been validated from a hard-coded list
>> $sender = "paul(at)example(dot)com";
>> $recipient= 'paul(at)example(dot)com' ;
>> mail( $recipient, $subject, $message, "From: $sender" );
> But your subject can still be a source of injection.
I cannot see how that is possible. The authorization code at the front end
requires the $in['Full_Name'] to be one of the authorized names hard-coded
in an array. If it contains anything else, the script dies. So I can't see
how anyone could inject anything malevolent.
> There is no excuse for writing insecure code, especially when it's
> in the internet. How will your client feel if their ip gets blacklisted -
> and even worse, their host cancels their account? It does happen,
> and it's serious.
My "client" is just a small group of volunteers who may want to post notices
of events to be available from the group's website. I am only using the
Sierra Club National site to have a placeholder HTML page which redirects to
the site I am hosting for them on my Dreamhost account. AFAIK, the email
function resides on the dreamhost, and any emails sent would be my
responsibility.
Also, AIUI, the potential users of the site will only receive the HTML form
on their local machine, and then the PHP script is accessed by means of
POST. The user will receive an echo which either shows "Authentication
Failed", or a formatted HTML page with the submitted information. The form
itself also has a button which will allow the user to see the results of the
EventProcessor script, which will have entered the information into a
database and then produced updated web pages for past and current events or
outings.
> An understanding of security concerns and care when programming
> will do that much better than a verifier will.
I understand a little more after reading
http://www.damonkohler.com/2008/12/email-injection.html, and I think my code
is secure against the attempts described there. If not, then I am missing
something and I would appreciate an example that would prove it to be unsafe
from attack.
>> Perhaps you could provide a link to the PHP code for a secure form
>> mailing application?
> Sorry, I write my own. I don't use much packaged software.
Then it would be very helpful for casual users and beginners if you could
provide at least some of the code you have created with a high level of
security. But I also realize that perhaps that would reveal clues to a
potential hacker. I would like to know more about vulnerabilities and safe
coding practices, but at this point I just don't know how my site could be
hacked unless someone gained access to authentication information, or was
able to obtain the password for my website and upload malicious code or
trash the files.
Thanks,
Paul
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]