| Re: My contact form is not emailed to me [message #173626 is a reply to message #173625] |
Thu, 21 April 2011 03:44   |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma:
|
Senior Member |
|
|
On 4/20/2011 7:58 PM, P E Schoen wrote:
> "Jerry Stuckle" wrote in message news:ionh8d$qbc$1(at)dont-email(dot)me...
>
>> On 4/20/2011 1:46 PM, P E Schoen wrote:
>
>>> The only way I understand would be possible to do this is by listening
>>> to the data over the network and identifying the CGI variables with
>>> that information.
>
>> Which can be done a number of ways by a sniffer. You just have to
>> be in the right place.
>
>> For instance, it's not well publicized but in many residential
>> locations with cable, everyone in an neighborhood is on the same cable
>> - and
>> can see each others traffic with the right software.
>
> I have FIOS and a WiFi router, but I have no control over what potential
> users may have. However, I still don't think anyone would be that much
> interested in hacking this site. And I would assume that the only damage
> could be the use of the emailer for spam, but that seems very unlikely,
> and I don't think it even can be done using my script.
>
Famous last words by people who's sites got hacked.
>>> The subject and from headers are as follows:
>>
>>> $subject = "Form data from {$in['Full_Name']}";
>>> //This has been validated from a hard-coded list
>>> $sender = "paul(at)example(dot)com";
>>> $recipient= 'paul(at)example(dot)com' ;
>>> mail( $recipient, $subject, $message, "From: $sender" );
>
>> But your subject can still be a source of injection.
>
> I cannot see how that is possible. The authorization code at the front
> end requires the $in['Full_Name'] to be one of the authorized names
> hard-coded in an array. If it contains anything else, the script dies.
> So I can't see how anyone could inject anything malevolent.
>
Subject does not require an "authorized name". It an easily be used for
injection.
>> There is no excuse for writing insecure code, especially when it's
>> in the internet. How will your client feel if their ip gets
>> blacklisted - and even worse, their host cancels their account? It
>> does happen,
>> and it's serious.
>
> My "client" is just a small group of volunteers who may want to post
> notices of events to be available from the group's website. I am only
> using the Sierra Club National site to have a placeholder HTML page
> which redirects to the site I am hosting for them on my Dreamhost
> account. AFAIK, the email function resides on the dreamhost, and any
> emails sent would be my responsibility.
>
Which makes no difference. Hackers often look for sites like yours they
can use to spread their spam - because they are typically the least
secure due to attitudes like yours.
> Also, AIUI, the potential users of the site will only receive the HTML
> form on their local machine, and then the PHP script is accessed by
> means of POST. The user will receive an echo which either shows
> "Authentication Failed", or a formatted HTML page with the submitted
> information. The form itself also has a button which will allow the user
> to see the results of the EventProcessor script, which will have entered
> the information into a database and then produced updated web pages for
> past and current events or outings.
>
Not a problem for hackers - who use scripts to do all kinds of things.
>> An understanding of security concerns and care when programming
>> will do that much better than a verifier will.
>
> I understand a little more after reading
> http://www.damonkohler.com/2008/12/email-injection.html, and I think my
> code is secure against the attempts described there. If not, then I am
> missing something and I would appreciate an example that would prove it
> to be unsafe from attack.
>
As I said - your subject line is still open to hacking.
>>> Perhaps you could provide a link to the PHP code for a secure form
>>> mailing application?
>
>> Sorry, I write my own. I don't use much packaged software.
>
> Then it would be very helpful for casual users and beginners if you
> could provide at least some of the code you have created with a high
> level of security. But I also realize that perhaps that would reveal
> clues to a potential hacker. I would like to know more about
> vulnerabilities and safe coding practices, but at this point I just
> don't know how my site could be hacked unless someone gained access to
> authentication information, or was able to obtain the password for my
> website and upload malicious code or trash the files.
>
Others have tried to point you in the right direction, but you seem to
be uninterested in learning the necessary skills to create a secure website.
And it really isn't that hard for hackers to guess userids and passwords
- even easier if they can intercept your non-secure logins.
> Thanks,
>
> Paul
>
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]