Denisvt
asked on
Determining if a PHP contact form is unsecure / vulnerable to injection
As following my Spam issue described there https://www.experts-exchange.com/questions/21755334/PHP-security-issues-leading-to-Spam-mail-header-injection-Setting-Sendmail-restrictions.html
I am looking for a way to determine whether a PHP contact form is in fact vulnerable to header injection.
For example I have just found out the contact form below in a client domain, and I am almost positive it is poorly written and could be used by anybody to send Spam.
This loop to send unverified values does not look good to me. However are my feelings rights and how could I justify suspending it, and hopefully suggest to the client how to secure it ?
(begin form)
<?php
$TO = "info@domain1.com,email2@d
$h = "From: " . $TO;
$message = "";
while (list($key, $val) = each($HTTP_POST_VARS)) {
$message .= "$key : $val\n";
}
mail($TO, $subject, $message, $h);
Header("Location: http://www.theirsite.de/danke.html");
?>
(end form)
Thanks.
I am looking for a way to determine whether a PHP contact form is in fact vulnerable to header injection.
For example I have just found out the contact form below in a client domain, and I am almost positive it is poorly written and could be used by anybody to send Spam.
This loop to send unverified values does not look good to me. However are my feelings rights and how could I justify suspending it, and hopefully suggest to the client how to secure it ?
(begin form)
<?php
$TO = "info@domain1.com,email2@d
$h = "From: " . $TO;
$message = "";
while (list($key, $val) = each($HTTP_POST_VARS)) {
$message .= "$key : $val\n";
}
mail($TO, $subject, $message, $h);
Header("Location: http://www.theirsite.de/danke.html");
?>
(end form)
Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the comments, I have continued searching and have also realized that those low-life scammers probably use some sort of techniques or tools to locate vulnerable Mail forms, so I wondered how I could be aware of those so that we locate problem forms within our clients sites before those people do ?
I understand EE's spirit and am NOT asking for hacking methods, however would there be a PHP scanner only able to run on the "localhost" server (our own, hence by an authorized admin and not onto a remote server) that we could periodically run so that we detect such security issues ?
Thanks.
I understand EE's spirit and am NOT asking for hacking methods, however would there be a PHP scanner only able to run on the "localhost" server (our own, hence by an authorized admin and not onto a remote server) that we could periodically run so that we detect such security issues ?
Thanks.
Not easily, no. Hackers might try particular injections on a form that they've had success with in the past.
The only other thing you can do is add anti-bot techniques to the form, such as captcha checks (image-based, text-based, whatever you need to force a human to answer a 'test question').
-d
The only other thing you can do is add anti-bot techniques to the form, such as captcha checks (image-based, text-based, whatever you need to force a human to answer a 'test question').
-d
ASKER
I guess the key is constant surveillance, not easy on a shared server where users can upload anything. At least we'll know what to look for now.
Thanks to both of you.
Thanks to both of you.
You need to at least be validating the user data, check out the following PHP functions which can help with getting rid of bad content:-
www.php.net/htmlentities
www.php.net/strip_tags
You could also be searching the subject and from email for \r\n charcters as these seperate headers.