Jump to content


Photo

mail() security question


  • Please log in to reply
6 replies to this topic

#1 a1ias

a1ias
  • Members
  • PipPip
  • Member
  • 17 posts

Posted 15 June 2006 - 04:28 PM

Hello

Having only recently begun learning PHP and mySQL (self teaching) I would consider myself to be a 'beginner' even though I have already written scripts for friends which they have found to be invaluable.

I'm a pretty quick learner and really enjoying working with PHP, I get a great deal of satisfaction from the end result of many hours of writing and troubleshooting.

It's also nice to find that a place like PHP Freaks exist, from what I've read so far it's a great community atmosphere where helping each other is not a burden for anyone.

What I'm in the process of at the moment, is going back over the scripts I've already written, and improving them from a security point of view. The advice I am here for today is with regards to the mail() feature.

I have several mail() functions in my code that requires me to assign an email address to the $to variable; something I do by simply including the email in the code of the page, e.g.

if(isset($_POST[send_email])) {

    $to = "name@emailaddress.com"; 

    $subject = "$_POST[subject]"; 

    $body = "$_POST[message]"; 

    $headers = "From: $_POST[email]"; 

    mail("$to,$subject,$body,$headers");

}


Now I can't help but worry that including the email address of the mail recipient in the code of the page is blatantly dangerous as far as attracting mail hijackers goes so I'd appreciate any kind of security advice you could give me with regard to this.

At the moment, I am calling my whole mail() script as an actual function in a require_once() file, e.g. the above would look like....

main_file.php
require_once('funcs.php');

if(isset($_POST[send_email])) {

    send_the_mail();
}


funcs.php
function send_the_mail() {

    $to = "name@emailaddress.com"; 

    $subject = "$_POST[subject]"; 

    $body = "$_POST[message]"; 

    $headers = "From: $_POST[email]"; 

    mail("$to,$subject,$body,$headers"); 

    return;
}

....but I'm guessing that this has little effect from a security point of view.

Anyway, over to the pro's, and many thanks in advance for your help.

P.S. I have the facility of a mySQL db on my host.

#2 AV1611

AV1611
  • Members
  • PipPipPip
  • Advanced Member
  • 997 posts

Posted 15 June 2006 - 04:41 PM

Well, the main way you keep secure is that your SMTP won't accept mail from the sending address except from the ip of the server... that's what I do... no relay that way... or did I miss your question?

[!--quoteo(post=384260:date=Jun 15 2006, 12:28 PM:name=a1ias)--][div class=\'quotetop\']QUOTE(a1ias @ Jun 15 2006, 12:28 PM) View Post[/div][div class=\'quotemain\'][!--quotec--]
Hello

Having only recently begun learning PHP and mySQL (self teaching) I would consider myself to be a 'beginner' even though I have already written scripts for friends which they have found to be invaluable.

I'm a pretty quick learner and really enjoying working with PHP, I get a great deal of satisfaction from the end result of many hours of writing and troubleshooting.

It's also nice to find that a place like PHP Freaks exist, from what I've read so far it's a great community atmosphere where helping each other is not a burden for anyone.

What I'm in the process of at the moment, is going back over the scripts I've already written, and improving them from a security point of view. The advice I am here for today is with regards to the mail() feature.

I have several mail() functions in my code that requires me to assign an email address to the $to variable; something I do by simply including the email in the code of the page, e.g.

if(isset($_POST[send_email])) {

    $to = "name@emailaddress.com"; 

    $subject = "$_POST[subject]"; 

    $body = "$_POST[message]"; 

    $headers = "From: $_POST[email]"; 

    mail("$to,$subject,$body,$headers");

}


Now I can't help but worry that including the email address of the mail recipient in the code of the page is blatantly dangerous as far as attracting mail hijackers goes so I'd appreciate any kind of security advice you could give me with regard to this.

At the moment, I am calling my whole mail() script as an actual function in a require_once() file, e.g. the above would look like....

main_file.php
require_once('funcs.php');

if(isset($_POST[send_email])) {

    send_the_mail();
}
funcs.php
function send_the_mail() {

    $to = "name@emailaddress.com"; 

    $subject = "$_POST[subject]"; 

    $body = "$_POST[message]"; 

    $headers = "From: $_POST[email]"; 

    mail("$to,$subject,$body,$headers"); 

    return;
}

....but I'm guessing that this has little effect from a security point of view.

Anyway, over to the pro's, and many thanks in advance for your help.

P.S. I have the facility of a mySQL db on my host.
[/quote]


#3 poirot

poirot
  • Members
  • PipPipPip
  • Advanced Member
  • 646 posts
  • LocationAustin, TX

Posted 15 June 2006 - 04:44 PM

Whatever PHP does, it's serversided.
If you don't output the recipient, there is no way the visitor can know it.
~ D Kuang

#4 nogray

nogray
  • Members
  • PipPipPip
  • Advanced Member
  • 930 posts
  • LocationSan Francisco CA

Posted 15 June 2006 - 04:48 PM

If you script is live and the subject line and the to address is taken from the form directly, you'll need to clean before using it in the mail function.

spammers have robots that can fill forms automatically and send mass emails from your server by injecting the headers in your mail (using the subject and the to lines).

You can go to [a href=\"http://www.securephpwiki.com/index.php/Email_Injection?seenIEPage=1\" target=\"_blank\"]http://www.securephpwiki.com/index.php/Ema...on?seenIEPage=1[/a] for more details.

NoGray.com


#5 a1ias

a1ias
  • Members
  • PipPip
  • Member
  • 17 posts

Posted 15 June 2006 - 05:36 PM

OK

The whole code for the kind of page would look like this:
<?php

if(isset($_POST[send])) {

    $to = "postmaster@server.com";

    $subject = "$_POST[subject]";

    $body = "$_POST[message]";

    $headers = "From: $_POST[email]";


    function is_valid_email($email) {

         return preg_match('#^[a-z0-9.!\#$%&\'*+-/=?^_`{|}~]+@([0-9.]+|([^\s]+\.+[a-z]{2,6}))$#si', $email);
     }

     if (!is_valid_email($email)) {

         echo 'Invalid email submitted - mail not being sent.';

         exit;
     }


    if($_SERVER['REQUEST_METHOD'] != "POST") {

        echo("Unauthorized attempt to access page.");

        exit;
    }


    function contains_bad_str($str_to_test) {

        $bad_strings = array("content-type:","mime-version:","multipart/mixed","Content-Transfer-Encoding:","bcc:","cc:","to:");

        foreach($bad_strings as $bad_string) {

            if(eregi($bad_string, strtolower($str_to_test))) {

                echo "$bad_string found. Suspected injection attempt - mail not being sent.";

                exit;
            }
        }
    }




        function contains_newlines($str_to_test) {

            if(preg_match("/(%0A|%0D|\\n+|\\r+)/i", $str_to_test) != 0) {

                echo "newline found in $str_to_test. Suspected injection attempt - mail not being sent.";

                exit;
            }
        }




    contains_bad_str($email);
    contains_bad_str($subject);
    contains_bad_str($body);

    contains_newlines($email);
    contains_newlines($subject);


    mail("$to,$subject,$body,$headers");

    echo "Thanks for your email";

    exit;
}
?>

<html>
<head>
**Head stuff in here**
</head>
<body>


<form method="POST" action="<?php echo $_SERVER['PHP_SELF']; ?>">

Your Email:<input type="text" name="email" />
Subject:</td><input type="text" name="subject" />
Message:</td><input type="text" name="message" />
<input type="submit" name="send" value="Send Email" />

</form>

</body>
</html>

And my question is basically, how safe is the email address [!--coloro:red--][span style=\"color:red\"][!--/coloro--]postmaster@server.com[!--colorc--][/span][!--/colorc--] in the above live webpage?

#6 poirot

poirot
  • Members
  • PipPipPip
  • Advanced Member
  • 646 posts
  • LocationAustin, TX

Posted 15 June 2006 - 10:12 PM

[!--quoteo(post=384292:date=Jun 15 2006, 10:36 AM:name=a1ias)--][div class=\'quotetop\']QUOTE(a1ias @ Jun 15 2006, 10:36 AM) View Post[/div][div class=\'quotemain\'][!--quotec--]And my question is basically, how safe is the email address [!--coloro:red--][span style=\"color:red\"][!--/coloro--]postmaster@server.com[!--colorc--][/span][!--/colorc--] in the above live webpage?
[/quote]
If you mean safe from being discovered, 99% (1% being of hacking/exploiting possibilities).
Safe from being spammed (bots filling the forms) though, 0% safe.
~ D Kuang

#7 a1ias

a1ias
  • Members
  • PipPip
  • Member
  • 17 posts

Posted 16 June 2006 - 05:57 AM

Thankyou for that.

Thinking about increasing security against that then, I guess I could implement pulling the sender IP address and restricting that ip address from being able to send the form again within a specified time limit; or even write the ip to a session variable and restrict posting from the same ip twice in one session.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users