Security issue.

[pocobueno1388]

Well, I have found out that someone is sending advertisment emails out to all the users on my site. I have a few scripts with the mail() function in them, but if that is the problem how do I secure it? If it is not one of the scripts with the mail function, and is possible to get the users email information without that, what exactly do I do?

 

I appreciate any help =D

 

 

[Orio]

If you could show us the scripts it would be simpler...

But it's most likely an email injection or something. (google for info )

 

Orio.

[grlayouts]

depending on the script one way would be,

<?php
if ($user[username] != yourusername) {
print "Admin access only.";
exit;
}
?>

[pocobueno1388]

The problem is I don't know which script out of the 100 or so I have, so I'm not sure which one to post. I just googled the issue and this is the code I came up with your supposed to do before using the mail script.

 

<?php 
   $from = $_POST["sender"];
   $from = urldecode($from);
   if (eregi("(\r|\n)", $from)) {
     die("Why ?? ");
   }
?>

 

BUT your like only supposed to make the email one line without any breaks in it...I don't really want that.

 

Here is part of a script of mine that uses the mail() function.

 

<?php

$query = mysql_query("SELECT vcode,loginname,password,email FROM users WHERE id='$uid'");
$row=mysql_fetch_array($query);

$vid=$row['verificationcode'];
$user=$row['loginname'];
$pass=$row['password'];
$to=$row['email'];
$subject = "Registration Information";
$body = "Thanks for joining our sim.\nYour registration information is as follows:\n\nLogin name: $user\nPassword: $pass\n\n
To validate your account on Dragon Dynasty and be able to login, go to\n\nhttp://www.simstables.com/index.php?verificationcode=$vid\n\n

Sincerely,\n\nDragon Dynasty Staff";

$from_header="From: [email protected]";

mail($to,$subject,$body,$from_header);
	print "Your code has been re-sent, check your email.";

include "footer.php";
?>

 

Do you see a way to secure that?

[grlayouts]

 

<?php


$query = mysql_query("SELECT vcode,loginname,password,email FROM users WHERE id='$uid'");
$row=mysql_fetch_array($query);

if ($query[loginname] != yourusername) {
print "Admin access only.";
exit;
} else {


$vid=$row['verificationcode'];
$user=$row['loginname'];
$pass=$row['password'];
$to=$row['email'];
$subject = "Registration Information";
$body = "Thanks for joining our sim.\nYour registration information is as follows:\n\nLogin name: $user\nPassword: $pass\n\n
To validate your account on Dragon Dynasty and be able to login, go to\n\nhttp://www.simstables.com/index.php?verificationcode=$vid\n\n

Sincerely,\n\nDragon Dynasty Staff";

$from_header="From: [email protected]";

mail($to,$subject,$body,$from_header);
	print "Your code has been re-sent, check your email.";

include "footer.php";
?>

 

[pocobueno1388]

grlayouts - That will seriously solve the problem with an email injection? Hmmm, doesn't seem like it would be able to stop them from obtaining the information.

[Orio]

Use this function on the fields that their values are sent. This way, no body can inject:

 

<?php

function is_injection($text)
{
$text = strtolower($text);
if (eregi('(content\s*-\s*disposition)|(content\s*-\s*type)|(cc\|(content\s*-\s*transfer\s*-\s*encoding)|(mime\s*-\s*version)|(multipart\s*/\s*mixed)|(multipart\s*/\s*alternative)|(multipart\s*/\s*related)|(reply\s*-\s*to)|(x\s*-\s*mailer)|(x\s*-\s*sender)|(x\s*-\s*uidl)',$text))
	die("Injection attempt!");
}

?>

 

Once people used my feedback script to send spam to other people, but since I used this function- no spam at all

 

Orio.

[grlayouts]

well it wont allow them access to sending the email unless the username matches the stated one. (which you have to change)

[pocobueno1388]

Thank you so much Orio =D