Securing an Email script

5 Message(s) by 5 Author(s) originally posted in php programming

From: Bill H

Date: Saturday, October 27, 2007

I have changed our web site to use a simple PHP script to send a demo

/de'moh/ 1. A demonstration of a product, often of an early
	version or prototype.  A demo is a far more effective way of
	inducing bugs to manifest themselves than any number of {test}
	runs, especially when important people are watching.

	2. {demo version}.

	3. A program written to demonstrate the programmer's coding
	ability and/or the power of the computer it runs on.  Such
	demos are nearly always written in {machine code} and
	traditionally feature scrolling text about the author, his
	friends, his code and anything else he fancies and animated
	graphics.

	[{Jargon File}]

	(1994-11-04)

request
to our sales office. We use Postfix and everything is set up properly and
works fine. I have been informed there are some security issues to review.

The script looks like:

<html>
<head><title>PHP Mail Sender</title></head>
<body>
<?php

/* Pre-defined script variable

<programming> (Sometimes "var" /veir/ or /var/) A named memory
	location in which a program can store intermediate results and
	from which it can read it them.  Each {programming language}
	has different rules about how variables can be named, typed,
	and used.  Typically, a value is "assigned" to a variable in
	an {assignment} statement.  The value is obtained by
	evaluating an expression and then stored in the variable.  For
	example, the assignment

		x = y + 1

	means "add one to y and store the result in x".  This may look
	like a mathematical equation but the mathematical equality is
	only true in the program until the value of x or y changes.
	Furthermore, statements like

		x = x + 1

	are common.  This means "add one to x", which only makes sense
	as a state changing operation, not as a mathematical equality.

	The simplest form of variable corresponds to a single-{word}
	of {memory} or a {CPU} {register} and an assignment to a
	{load} or {store} {machine code} operation.

	A variable is usually defined to have a {type}, which never
	changes, and which defines the set of values the variable can
	hold.  A type may specify a single ("atomic") value or a
	collection ("aggregate") of values of the same or different
	types.  A common aggregate type is the {array} - a set of
	values, one of which can be selected by supplying a numerical
	{index}.

	Languages may be {untyped}, {weakly typed}, {strongly typed},
	or some combination.  {Object-oriented programming} languages
	extend this to {object} types or {classes}.

	A variable's {scope} is the region of the program source
	within which it represents a certain thing.  Scoping rules are
	also highly language dependent but most serious languages
	support both {local variables} and {global variables}.
	{Subroutine} and {function} {formal arguments} are special
	variables which are set automatically by the language runtime
	on entry to the subroutine.

	In a {functional programming} language, a variable's value
	never changes and change of state is handled as recursion over
	lists of values.

	(2004-11-16)

s. */
/* $eol = "\r\n"; */
$eol = "\n";
$mail

<messaging> 1. {electronic mail}.

	2. The {Berkeley Unix} program for composing and reading
	{electronic mail}.  It normally uses {sendmail} to handle
	delivery.

	{Unix manual page}: mail(1)

	(1997-12-03)

to = 'sales@xxxxxxxxxxx';
$mailfrom = 'webserver@xxxxxxxxxxx';
$subject

<programming> In {subject-oriented programming}, a subject is
	a collection of {classes} or class fragments whose {class
	hierarchy} models its domain in its own, subjective way.  A
	subject may be a complete application in itself, or it may be
	an incomplete fragment that must be composed with other
	subjects to produce a complete application.  Subject
	composition combines class hierarchies to produce new subjects
	that incorporate functionality from existing subjects.

	(1999-08-31)

= 'Company Demo Request';

/* Initialize a clean array

1. <programming> A collection of identically typed data items
	distinguished by their indices (or "subscripts").  The number
	of dimensions an array can have depends on the language but is
	usually unlimited.

	An array is a kind of {aggregate} data type.  A single
	ordinary variable (a "{scalar}") could be considered as a
	zero-dimensional array.  A one-dimensional array is also known
	as a "{vector}".

	A reference to an array element is written something like
	A[i,j,k] where A is the array name and i, j and k are the
	indices.  The {C} language is peculiar in that each index is
	written in separate brackets, e.g. A[i][j][k].  This expresses
	the fact that, in C, an N-dimensional array is actually a
	vector, each of whose elements is an N-1 dimensional array.

	Elements of an array are usually stored contiguously.
	Languages differ as to whether the leftmost or rightmost index
	varies most rapidly, i.e. whether each row is stored
	contiguously or each column (for a 2D array).

	Arrays are appropriate for storing data which must be accessed
	in an unpredictable order, in contrast to {lists} which are
	best when accessed sequentially.

	See also {associative array}.

	2. <architecture> A {processor array}, not to be confused with
	an {array processor}.

	(1995-01-25)

to replace $_POST with clean data

<data, data processing, jargon> /day't*/ (Or "raw data")
	Numbers, {characters}, {images}, or other method of recording,
	in a form which can be assessed by a human or (especially)
	input into a {computer}, stored and {processed} there, or
	transmitted on some {digital channel}.  Computers nearly
	always represent data in {binary}.

	Data on its own has no meaning, only when interpreted by some
	kind of {data processing system} does it take on meaning and
	become {information}.

	People or computers can find patterns in data to perceive
	information, and information can be used to enhance
	{knowledge}.  Since knowledge is prerequisite to wisdom, we
	always want more data and information.  But, as modern
	societies verge on {information overload}, we especially need
	better ways to find patterns.

	1234567.89 is data.

	"Your bank balance has jumped 8087% to $1234567.89" is
	information.

	"Nobody owes me that much money" is knowledge.

	"I'd better talk to the bank before I spend it, because of
	what has happened to other people" is wisdom.

	(1999-04-30)

*/
$name = $_POST['name'];
$title = $_POST['name'];
$company = $_POST['name'];
$email = $_POST['name'];
$phone = $_POST['name'];
$message

In {object-oriented programming} sending a message to an
	{object} (to invoke a {method}) is equivalent to calling a
	{procedure} in traditional programming languages, except that
	the actual code executed may only be selected at run time
	depending on the {class} of the object.  Thus, in response to
	the message "drawSelf", the method code invoked would be
	different if the target object were a circle or a square.

	(1995-02-16)

= $_POST['name'];

/* Build HTML

<hypertext, World-Wide Web, standard> (HTML) A {hypertext}
	document format used on the {World-Wide Web}.  HTML is built
	on top of {SGML}.  "Tags" are embedded in the text.  A tag
	consists of a "<", a "directive" (in lower case), zero or
	more parameters and a ">".  Matched pairs of directives, like
	"<title>" and "</title>" are used to delimit text which is to
	appear in a special place or style.

	Links to other documents are in the form

	 <a href="http://machine.edu/subdir/file.html">foo</a>

	where "<a>" and "</a>" delimit an "anchor", "href" introduces
	a hypertext reference, which is most often a {Uniform Resource
	Locator} (URL) (the string in double quotes in the example
	above).  The link will be represented in the browser by the
	text "foo" (typically shown underlined and in a different
	colour).

	A certain place within an HTML document can be marked with a
	named anchor, e.g.:

	 <a name="baz">

	The "fragment identifier", "baz", can be used in an href by
	appending "#baz" to the document name.

	Other common tags include <p> for a new paragraph, <b>..</b>
	for bold text, <ul> for an unnumbered list, <pre> for
	preformated text, <h1>, <h2> .. <h6> for headings.

	{HTML} supports some standard {SGML} {national characters} and
	other non-{ASCII} characters through special {escape
	sequences}, e.g. "&eacute;" for a lower case 'e' with an acute
	accent.  You can sometimes get away without the terminating
	semicolon but it's bad style.

	Most systems will ignore the case of tags and attributes but
	lower case should be used for compatibility with {XHTML}.

	The {World-Wide Web Consortium} (W3C) is the international
	{standards} body for HTML.

	Latest version: {XHTML} 1.0, as of 2000-09-10.

	{Home (http://www.w3.org/MarkUp/)}.

	{Character escape sequences
	(http://www.w3.org/hypertext/WWW/MarkUp/ISOlat1.html)}.

	See also {weblint}.

	(2006-01-19)

$salesmessage variable to pass to mail script */
$salesmessage = "<HTML><HEAD></HEAD><BODY>" . $eol;
$salesmessage .= "The following information comes from the company web
site<BR>".$eol;
$salesmessage .= "demonstration link.<BR><BR>".$eol;
$salesmessage .= "<TABLE cols='2'>".$eol;
$salesmessage .= "<TR><TD style='color:blue'>Company Name: </TD><TD>".
$company ."</TD></TR>".$eol;
$salesmessage .= "<TR><TD style='color:blue'>Contact Name: </TD><TD>".
$name ."</TD></TR>".$eol;
$salesmessage .= "<TR><TD style='color:blue'>Contact Title: </TD><TD>".
$title ."</TD></TR>".$eol;
$salesmessage .= "<TR><TD style='color:blue'>Contact Email: </TD><TD>".
$email ."</TD></TR>".$eol;
$salesmessage .= "<TR><TD style='color:blue'>Contact Phone: </TD><TD>".
$phone ."</TD></TR>".$eol;
$salesmessage .= "</TABLE><BR>" . $eol;
$salesmessage .= $message . $eol;
$salesmessage .= "</BODY></HTML>" . $eol;

/* To send HTML mail, the Content-type header

1. The portion of a {packet}, preceding the actual data,
	containing source and destination addresses, error checking
	and other fields.

	2. The part of an {electronic mail} message or {news} article
	that precedes the body of a message and contains, among other
	things, the sender's name and e-mail address and the date and
	time the message was sent.

must be set */
$headers = 'MIME-Version: 1.0' . $eol;
$headers .= 'Content-type: text/html; charset=iso-8859-1' . $eol;

/* Additional header information */
$headers .= 'To: Sales <' . $mailto . '>' . $eol;
$headers .= 'From: ' . 'AsiWeb <' . $mailfrom . '>' . $eol . $eol;

/* PHP form validation

The stage in the {software life-cycle} at the end of the
	development process where software is evaluated to ensure that
	it complies with the requirements.

	(1995-02-14)

: the script checks that the Email field

<data, database> An area of a {database} {record}, or
	{graphical user interface} {form}, into which a particular
	item of data is entered.

	Example usage: "The telephone number field is not really a
	numerical field", "Why do we need a four-digit field for the
	year?".

	A {database} {column} is the set of all instances of a given
	field from all records in a {table}.

	(1999-04-26)

contains a
valid email address
and the Subject field is not empty. preg_match performs a regular
expression

<programming> Any piece of program code in a {high-level
	language} which, when (if) its execution terminates, returns a
	value.  In most programming languages, expressions consist of
	constants, variables, operators, functions, and {parentheses}.
	The operators and functions may be built-in or user defined.
	Languages differ on how expressions of different {types} may
	be combined - with some combination of explicit {casts} and
	implicit {coercions}.

	The {syntax} of expressions generally follows conventional
	mathematical notation, though some languages such as {Lisp} or
	{Forth} have their own idiosyncratic syntax.

	(2001-05-14)

match. It's a
very powerful PHP function

1. <mathematics> (Or "map", "mapping") If D and C are sets
	(the domain and codomain) then a function f from D to C,
	normally written "f : D -> C" is a subset of D x C such that:

	1. For each d in D there exists some c in C such that (d,c) is
	an element of f.  I.e. the function is defined for every
	element of D.

	2. For each d in D, c1 and c2 in C, if both (d,c1) and (d,c2)
	are elements of f then c1 = c2.  I.e. the function is uniquely
	defined for every element of D.

	See also {image}, {inverse}, {partial function}.

	2. <programming> Computing usage derives from the mathematical
	term but is much less strict.  In programming (except in
	{functional programming}), a function may return different
	values each time it is called with the same argument values
	and may have {side effects}.

	A {procedure} is a function which returns no value but has
	only {side-effects}.  The {C} language, for example, has no
	procedures, only functions.  {ANSI C} even defines a {type},
	{void}, for the result of a function that has no result.

	(1996-09-01)

to validate form fields and other string

<programming> A sequence of {data} values, usually {bytes},
	which usually stand for {characters} (a "character string").
	The {mapping} between values and characters is determined by
	the {character set} which is itself specified implcitly or
	explicitly by the environment in which the string is being
	interpreted.

	The most common character set is {ASCII} but, since the late
	1990s, there has been increased interest in larger character
	sets such as {Unicode} where each character is represented by
	more than eight {bits}.

	Most programming languages consider strings (e.g.
	"124:shabooya:\n", "hello world") basically distinct from
	numbers which are typically stored in fixed-length {binary} or
	{floating-point} representation.

	A {bit string} is a sequence of {bits}.

	(1999-12-21)

s -
see PHP manual for
details. */
if ($email == "") {
echo

1. A {topic group} on {FidoNet}'s {echomail} system.

	Compare {newsgroup}.

	2. A {Unix} command that just prints its arguments.

	[{Jargon File}]

"<script>alert('Invalid or missing email address')</script>";
echo "<script>history.back(1)</script>";
} elseif ($name == "") {
echo "<script>alert('Invalid or missing name')</script>";
echo "<script>history.back(1)</script>";
} elseif ($company == "") {
echo "<script>alert('Invalid or missing company')</script>";
echo "<script>history.back(1)</script>";

/* Sends the mail and outputs the "Thank you" string if the mail is
successfully sent, or the
error

1. A discrepancy between a computed, observed, or measured
	value or condition and the true, specified, or theoretically
	correct value or condition.

	2. <programming> A mental mistake made by a programmer that
	may result in a program {fault}.

	3. (verb) What a program does when it stops as result of a
	programming error.

	(2000-03-28)

string otherwise. */
} elseif (mail($mailto, $subject, $salesmessage, $headers)) {
echo "<script>";
echo "self.location='../demo_response.html';";
echo "</script>";
} else {
echo "<script>alert('Cannot send email to $mailto')</script>";
echo "<script>history.back(1)</script>";
}
?>
</body>
</html>

The main issue I'm wondering about is if I control the to and from address
and header information for the mail, as I do above, is it possible to inject
something else into the email to hijack the mail server?

Thanks,

Bill

From: Sanders Kaufman

Date: Saturday, October 27, 2007

wrote in message

I've changed our web site to use a simple PHP script to send a demo
request to our sales office. We use Postfix and everything is set up
properly and works fine. I have been informed there are some security
issues to review.

Since you do ZERO

1. <character> 0, {ASCI} character 48.  Numeric zero, as
	opposed to the letter "O" (the 15th letter of the English
	alphabet).  In their unmodified forms they look a lot alike,
	and various {kluges} invented to make them visually distinct
	have compounded the confusion.

	If your zero is centre-dotted and letter-O is not, or if
	letter-O looks almost rectangular but zero looks more like an
	American football stood on end (or the reverse), you're
	probably looking at a modern character display (though the
	dotted zero seems to have originated as an option on {IBM
	3270} controllers).  If your zero is slashed but letter-O is
	not, you're probably looking at an old-style {ASCII} graphic
	set descended from the default typewheel on the venerable
	{ASR-33} {Teletype} (Scandinavians, for whom slashed-O is a
	letter, curse this arrangement).

	If letter-O has a slash across it and the zero does not, your
	display is tuned for a very old convention used at {IBM} and a
	few other early mainframe makers (Scandinavians curse *this*
	arrangement even more, because it means two of their letters
	collide).  Some {Burroughs}/{Unisys} equipment displays a zero
	with a *reversed* slash.  And yet another convention common on
	early {line printers} left zero unornamented but added a tail
	or hook to the letter-O so that it resembled an inverted Q or
	cursive capital letter-O.

	[{Jargon File}]

	(1995-01-24)

	2. To set to zero.  Usually said of small pieces of data, such
	as bits or words (especially in the construction "zero out").

	3. To erase; to discard all data from.  Said of disks and
	directories, where "zeroing" need not involve actually writing
	zeroes throughout the area being zeroed.  One may speak of
	something being "logically zeroed" rather than being
	"physically zeroed".

	See {scribble}.

	(1999-02-07)

checking on the values it's nothing BUT security issues.
You should never pass user-submitted data to mail or data bases without
validating it.

The script looks like:
<html>
<head><title>PHP Mail Sender</title></head>
<body>
<?php
/* Pre-defined script variables. */
/* $eol = "\r\n"; */
$eol = "\n";
$mailto = 'sales@xxxxxxxxxxx';
$mailfrom = 'webserver@xxxxxxxxxxx';
$subject = 'Company Demo Request';
/* Initialize a clean array to replace $_POST with clean data */
$name = $_POST['name'];
$title = $_POST['name'];
$company = $_POST['name'];
$email = $_POST['name'];
$phone = $_POST['name'];
$message = $_POST['name'];
/* Build HTML $salesmessage variable to pass to mail script */
$salesmessage = "<HTML><HEAD></HEAD><BODY>" . $eol;
$salesmessage .= "The following information comes from the company web
site<BR>".$eol;
$salesmessage .= "demonstration link.<BR><BR>".$eol;
$salesmessage .= "<TABLE cols='2'>".$eol;
$salesmessage .= "<TR><TD style='color:blue'>Company Name:
</TD><TD>". $company ."</TD></TR>".$eol;
$salesmessage .= "<TR><TD style='color:blue'>Contact Name:
</TD><TD>". $name ."</TD></TR>".$eol;
$salesmessage .= "<TR><TD style='color:blue'>Contact Title:
</TD><TD>". $title ."</TD></TR>".$eol;
$salesmessage .= "<TR><TD style='color:blue'>Contact Email:
</TD><TD>". $email ."</TD></TR>".$eol;
$salesmessage .= "<TR><TD style='color:blue'>Contact Phone:
</TD><TD>". $phone ."</TD></TR>".$eol;
$salesmessage .= "</TABLE><BR>" . $eol;
$salesmessage .= $message . $eol;
$salesmessage .= "</BODY></HTML>" . $eol;
/* To send HTML mail, the Content-type header must be set */
$headers = 'MIME-Version: 1.0' . $eol;
$headers .= 'Content-type: text/html; charset=iso-8859-1' . $eol;
/* Additional header information */
$headers .= 'To: Sales <' . $mailto . '>' . $eol;
$headers .= 'From: ' . 'AsiWeb <' . $mailfrom . '>' . $eol . $eol;
/* PHP form validation: the script checks that the Email field contains a
valid email address
and the Subject field is not empty. preg_match performs a regular
expression match. It's a
very powerful PHP function to validate form fields and other strings -
see PHP manual for
details. */
if ($email == "") {
echo "<script>alert('Invalid or missing email address')</script>";
echo "<script>history.back(1)</script>";
} elseif ($name == "") {
echo "<script>alert('Invalid or missing name')</script>";
echo "<script>history.back(1)</script>";
} elseif ($company == "") {
echo "<script>alert('Invalid or missing company')</script>";
echo "<script>history.back(1)</script>";
/* Sends the mail and outputs the "Thank you" string if the mail is
successfully sent, or the
error string otherwise. */
} elseif (mail($mailto, $subject, $salesmessage, $headers)) {
echo "<script>";
echo "self.location='../demo_response.html';";
echo "</script>";
} else {
echo "<script>alert('Cannot send email to $mailto')</script>";
echo "<script>history.back(1)</script>";
}
?>
</body>
</html>
The main issue I'm wondering about is if I control the to and from address
and header information for the mail, as I do above, is it possible to
inject something else into the email to hijack the mail server?
Thanks,
Bill

From: Michael Fesser

Date: Saturday, October 27, 2007

.oO(Sanders Kaufman)

I have changed our web site to use a simple PHP script to send a demo
request to our sales office. We use Postfix and everything is set up
properly and works fine. I have been informed there are some security
issues to review.
Since you do ZERO checking on the values it's nothing BUT security issues.

The user-submitted values are used only in the mail body. All the
headers are hard-wired

1. <electronics> An aspect of an electronic circuit which is
	determined by the wiring of the hardware, as opposed to being
	programmable in software or controlled by a switch.

	2. <software, jargon> In software, a synonym for {hard-coded}.

	3. By extension, anything that is not modifiable, especially
	in the sense of customisable to one's particular needs or
	tastes.

	[{Jargon File}]

	(1999-10-18)

in the script, so there's no way to inject some
more.

You should never pass user-submitted data to mail or data bases without
validating it.

Correct. And indeed the script has a lot of problems, but these aren't
related to PHP - it's all the JS stuff:

* The JS code

<software> Instructions for a computer in some programming
	language, often {machine language}.  The word "code" is often
	used to distinguish instructions from {data} (e.g. "The code
	is marked 'read-only'") whereas "{software}" is used in
	contrast with "{hardware}" and may consist of more than just
	code.

	(2000-04-08)

itself is invalid HTML.

* Proper redirects have to be done server-side

<World-Wide Web> Processing or content generation that is done
	on the {web server} or other server, as opposed to on the
	{client} computer where the {web browser} is running.

	An example is {server-side include} where one file is inserted
	in another before it is served, rather than, say, having the
	browser request the files separately and combine them using an
	{iframe}.  A very common kind of server-side processing is the
	inclusion of data from a {database} in a web page.

	There are many software environments and technologies designed
	for server-side processing, e.g. {CGI}, {ISAPI}, {WebObjects}
	and {ASP}.

	The greatest advantage of server-side processing is that it is
	independent of the many different client software environments
	that exist on the {Internet}, chiefly different {web browsers}
	and {operating systems}.  The disadvantage is that the user
	must wait for a response from the server which is a much
	slower form of interaction than is possible with client-side
	processing using, e.g., {JavaScript}.

	(2003-12-29)

, in case of PHP with a
header() call to send the appropriate HTTP

<protocol> (HTTP) The {client-server} {TCP/IP} {protocol} used
	on the {World-Wide Web} for the exchange of {HTML} documents.
	It conventionally uses {port} 80.

	Current version: HTTP 1.1, defined in {RFC 2068}, as of May
	1997.

	See also {Uniform Resource Locator}.

	(1994-10-27)

status code and headers.

* Relying on JS-validation only is stupid and often dangerous. In this
case it's (luckily) not a security issue, but might still lead to empty
emails. Valid

A {dataflow} language.

	["A List-Processing-Oriented Data Flow Machine Architecture",
	Makoto Amamiya et al, AFIPS NCC, June 1982, pp. 143-151].

	(1995-02-14)

ation _must always_ be done on the server, JS can always
only be an addition.

* A proper form handler should redisplay the same form in case of an
error instead of relying on ugly and unreliable client-side behaviours.

So I'd start with removing (or at least commenting-out) all the JS
thingies and thinking about server-side error handling.

Micha

From: Jerry Stuckle

Date: Saturday, October 27, 2007

wrote in message:

I've changed our web site to use a simple PHP script to send a demo request
to our sales office. We use Postfix and everything is set up properly and
works fine. I have been informed there are some security issues to review.
The script looks like:
<html>
<head><title>PHP Mail Sender</title></head>
<body>
<?php
/* Pre-defined script variables. */
/* $eol = "\r\n"; */
$eol = "\n";
$mailto = 'sales@xxxxxxxxxxx';
$mailfrom = 'webserver@xxxxxxxxxxx';
$subject = 'Company Demo Request';
/* Initialize a clean array to replace $_POST with clean data */
$name = $_POST['name'];
$title = $_POST['name'];
$company = $_POST['name'];
$email = $_POST['name'];
$phone = $_POST['name'];
$message = $_POST['name'];
/* Build HTML $salesmessage variable to pass to mail script */
$salesmessage = "<HTML><HEAD></HEAD><BODY>" . $eol;
$salesmessage .= "The following information comes from the company web
site<BR>".$eol;
$salesmessage .= "demonstration link.<BR><BR>".$eol;
$salesmessage .= "<TABLE cols='2'>".$eol;
$salesmessage .= "<TR><TD style='color:blue'>Company Name: </TD><TD>".
$company ."</TD></TR>".$eol;
$salesmessage .= "<TR><TD style='color:blue'>Contact Name: </TD><TD>".
$name ."</TD></TR>".$eol;
$salesmessage .= "<TR><TD style='color:blue'>Contact Title: </TD><TD>".
$title ."</TD></TR>".$eol;
$salesmessage .= "<TR><TD style='color:blue'>Contact Email: </TD><TD>".
$email ."</TD></TR>".$eol;
$salesmessage .= "<TR><TD style='color:blue'>Contact Phone: </TD><TD>".
$phone ."</TD></TR>".$eol;
$salesmessage .= "</TABLE><BR>" . $eol;
$salesmessage .= $message . $eol;
$salesmessage .= "</BODY></HTML>" . $eol;
/* To send HTML mail, the Content-type header must be set */
$headers = 'MIME-Version: 1.0' . $eol;
$headers .= 'Content-type: text/html; charset=iso-8859-1' . $eol;
/* Additional header information */
$headers .= 'To: Sales <' . $mailto . '>' . $eol;
$headers .= 'From: ' . 'AsiWeb <' . $mailfrom . '>' . $eol . $eol;
/* PHP form validation: the script checks that the Email field contains a
valid email address
and the Subject field is not empty. preg_match performs a regular
expression match. It's a
very powerful PHP function to validate form fields and other strings -
see PHP manual for
details. */
if ($email == "") {
echo "<script>alert('Invalid or missing email address')</script>";
echo "<script>history.back(1)</script>";
} elseif ($name == "") {
echo "<script>alert('Invalid or missing name')</script>";
echo "<script>history.back(1)</script>";
} elseif ($company == "") {
echo "<script>alert('Invalid or missing company')</script>";
echo "<script>history.back(1)</script>";
/* Sends the mail and outputs the "Thank you" string if the mail is
successfully sent, or the
error string otherwise. */
} elseif (mail($mailto, $subject, $salesmessage, $headers)) {
echo "<script>";
echo "self.location='../demo_response.html';";
echo "</script>";
} else {
echo "<script>alert('Cannot send email to $mailto')</script>";
echo "<script>history.back(1)</script>";
}
?>
</body>
</html>
The main issue I'm wondering about is if I control the to and from address
and header information for the mail, as I do above, is it possible to inject
something else into the email to hijack the mail server?
Thanks,
Bill

Well, you're placing anything in the header which comes from the user
(i.e. from address, subject, etc.), so in that respect your script is safe.

However, just to be safe, you should verify the data input by the user.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@xxxxxxxxxxx
==================

From: shimmyshack

Date: Saturday, October 27, 2007

wrote in message:
wrote in message

> I have changed our web site to use a simple PHP script to send a demo
> request to our sales office. We use Postfix and everything is set up
> properly and works fine. I have been informed there are some security
> issues to review.
Since you do ZERO checking on the values it's nothing BUT security issues.
You should never pass user-submitted data to mail or data bases without
validating it.
> The script looks like:
> <html>
> <head><title>PHP Mail Sender</title></head>
> <body>
> <?php
> /* Pre-defined script variables. */
> /* $eol = "\r\n"; */
> $eol = "\n";
> $mailto = 'sa...@xxxxxxxxxxx';
> $mailfrom = 'webser...@xxxxxxxxxxx';
> $subject = 'Company Demo Request';
> /* Initialize a clean array to replace $_POST with clean data */
> $name = $_POST['name'];
> $title = $_POST['name'];
> $company = $_POST['name'];
> $email = $_POST['name'];
> $phone = $_POST['name'];
> $message = $_POST['name'];
> /* Build HTML $salesmessage variable to pass to mail script */
> $salesmessage = "<HTML><HEAD></HEAD><BODY>" . $eol;
> $salesmessage .= "The following information comes from the company web
> site<BR>".$eol;
> $salesmessage .= "demonstration link.<BR><BR>".$eol;
> $salesmessage .= "<TABLE cols='2'>".$eol;
> $salesmessage .= "<TR><TD style='color:blue'>Company Name:
> </TD><TD>". $company ."</TD></TR>".$eol;
> $salesmessage .= "<TR><TD style='color:blue'>Contact Name:
> </TD><TD>". $name ."</TD></TR>".$eol;
> $salesmessage .= "<TR><TD style='color:blue'>Contact Title:
> </TD><TD>". $title ."</TD></TR>".$eol;
> $salesmessage .= "<TR><TD style='color:blue'>Contact Email:
> </TD><TD>". $email ."</TD></TR>".$eol;
> $salesmessage .= "<TR><TD style='color:blue'>Contact Phone:
> </TD><TD>". $phone ."</TD></TR>".$eol;
> $salesmessage .= "</TABLE><BR>" . $eol;
> $salesmessage .= $message . $eol;
> $salesmessage .= "</BODY></HTML>" . $eol;
> /* To send HTML mail, the Content-type header must be set */
> $headers = 'MIME-Version: 1.0' . $eol;
> $headers .= 'Content-type: text/html; charset=iso-8859-1' . $eol;
> /* Additional header information */
> $headers .= 'To: Sales <' . $mailto . '>' . $eol;
> $headers .= 'From: ' . 'AsiWeb <' . $mailfrom . '>' . $eol . $eol;
> /* PHP form validation: the script checks that the Email field contains a
> valid email address
> and the Subject field is not empty. preg_match performs a regular
> expression match. It's a
> very powerful PHP function to validate form fields and other strings -
> see PHP manual for
> details. */
> if ($email == "") {
> echo "<script>alert('Invalid or missing email address')</script>";
> echo "<script>history.back(1)</script>";
> } elseif ($name == "") {
> echo "<script>alert('Invalid or missing name')</script>";
> echo "<script>history.back(1)</script>";
> } elseif ($company == "") {
> echo "<script>alert('Invalid or missing company')</script>";
> echo "<script>history.back(1)</script>";
> /* Sends the mail and outputs the "Thank you" string if the mail is
> successfully sent, or the
> error string otherwise. */
> } elseif (mail($mailto, $subject, $salesmessage, $headers)) {
> echo "<script>";
> echo "self.location='../demo_response.html';";
> echo "</script>";
> } else {
> echo "<script>alert('Cannot send email to $mailto')</script>";
> echo "<script>history.back(1)</script>";
> }
> ?>
> </body>
> </html>
> The main issue I'm wondering about is if I control the to and from address
> and header information for the mail, as I do above, is it possible to
> inject something else into the email to hijack the mail server?
> Thanks,
> Bill

wrote in message:
wrote in message

> I have changed our web site to use a simple PHP script to send a demo
> request to our sales office. We use Postfix and everything is set up
> properly and works fine. I have been informed there are some security
> issues to review.
Since you do ZERO checking on the values it's nothing BUT security issues.
You should never pass user-submitted data to mail or data bases without
validating it.
> The script looks like:
> <html>
> <head><title>PHP Mail Sender</title></head>
> <body>
> <?php
> /* Pre-defined script variables. */
> /* $eol = "\r\n"; */
> $eol = "\n";
> $mailto = 'sa...@xxxxxxxxxxx';
> $mailfrom = 'webser...@xxxxxxxxxxx';
> $subject = 'Company Demo Request';
> /* Initialize a clean array to replace $_POST with clean data */
> $name = $_POST['name'];
> $title = $_POST['name'];
> $company = $_POST['name'];
> $email = $_POST['name'];
> $phone = $_POST['name'];
> $message = $_POST['name'];
> /* Build HTML $salesmessage variable to pass to mail script */
> $salesmessage = "<HTML><HEAD></HEAD><BODY>" . $eol;
> $salesmessage .= "The following information comes from the company web
> site<BR>".$eol;
> $salesmessage .= "demonstration link.<BR><BR>".$eol;
> $salesmessage .= "<TABLE cols='2'>".$eol;
> $salesmessage .= "<TR><TD style='color:blue'>Company Name:
> </TD><TD>". $company ."</TD></TR>".$eol;
> $salesmessage .= "<TR><TD style='color:blue'>Contact Name:
> </TD><TD>". $name ."</TD></TR>".$eol;
> $salesmessage .= "<TR><TD style='color:blue'>Contact Title:
> </TD><TD>". $title ."</TD></TR>".$eol;
> $salesmessage .= "<TR><TD style='color:blue'>Contact Email:
> </TD><TD>". $email ."</TD></TR>".$eol;
> $salesmessage .= "<TR><TD style='color:blue'>Contact Phone:
> </TD><TD>". $phone ."</TD></TR>".$eol;
> $salesmessage .= "</TABLE><BR>" . $eol;
> $salesmessage .= $message . $eol;
> $salesmessage .= "</BODY></HTML>" . $eol;
> /* To send HTML mail, the Content-type header must be set */
> $headers = 'MIME-Version: 1.0' . $eol;
> $headers .= 'Content-type: text/html; charset=iso-8859-1' . $eol;
> /* Additional header information */
> $headers .= 'To: Sales <' . $mailto . '>' . $eol;
> $headers .= 'From: ' . 'AsiWeb <' . $mailfrom . '>' . $eol . $eol;
> /* PHP form validation: the script checks that the Email field contains a
> valid email address
> and the Subject field is not empty. preg_match performs a regular
> expression match. It's a
> very powerful PHP function to validate form fields and other strings -
> see PHP manual for
> details. */
> if ($email == "") {
> echo "<script>alert('Invalid or missing email address')</script>";
> echo "<script>history.back(1)</script>";
> } elseif ($name == "") {
> echo "<script>alert('Invalid or missing name')</script>";
> echo "<script>history.back(1)</script>";
> } elseif ($company == "") {
> echo "<script>alert('Invalid or missing company')</script>";
> echo "<script>history.back(1)</script>";
> /* Sends the mail and outputs the "Thank you" string if the mail is
> successfully sent, or the
> error string otherwise. */
> } elseif (mail($mailto, $subject, $salesmessage, $headers)) {
> echo "<script>";
> echo "self.location='../demo_response.html';";
> echo "</script>";
> } else {
> echo "<script>alert('Cannot send email to $mailto')</script>";
> echo "<script>history.back(1)</script>";
> }
> ?>
> </body>
> </html>
> The main issue I'm wondering about is if I control the to and from address
> and header information for the mail, as I do above, is it possible to
> inject something else into the email to hijack the mail server?
> Thanks,
> Bill

wrote in message:

I've changed our web site to use a simple PHP script to send a demo request
to our sales office. We use Postfix and everything is set up properly and
works fine. I have been informed there are some security issues to review.
The script looks like:
<html>
<head><title>PHP Mail Sender</title></head>
<body>
<?php
/* Pre-defined script variables. */
/* $eol = "\r\n"; */
$eol = "\n";
$mailto = 'sa...@xxxxxxxxxxx';
$mailfrom = 'webser...@xxxxxxxxxxx';
$subject = 'Company Demo Request';
/* Initialize a clean array to replace $_POST with clean data */
$name = $_POST['name'];
$title = $_POST['name'];
$company = $_POST['name'];
$email = $_POST['name'];
$phone = $_POST['name'];
$message = $_POST['name'];
/* Build HTML $salesmessage variable to pass to mail script */
$salesmessage = "<HTML><HEAD></HEAD><BODY>" . $eol;
$salesmessage .= "The following information comes from the company web
site<BR>".$eol;
$salesmessage .= "demonstration link.<BR><BR>".$eol;
$salesmessage .= "<TABLE cols='2'>".$eol;
$salesmessage .= "<TR><TD style='color:blue'>Company Name: </TD><TD>".
$company ."</TD></TR>".$eol;
$salesmessage .= "<TR><TD style='color:blue'>Contact Name: </TD><TD>".
$name ."</TD></TR>".$eol;
$salesmessage .= "<TR><TD style='color:blue'>Contact Title: </TD><TD>".
$title ."</TD></TR>".$eol;
$salesmessage .= "<TR><TD style='color:blue'>Contact Email: </TD><TD>".
$email ."</TD></TR>".$eol;
$salesmessage .= "<TR><TD style='color:blue'>Contact Phone: </TD><TD>".
$phone ."</TD></TR>".$eol;
$salesmessage .= "</TABLE><BR>" . $eol;
$salesmessage .= $message . $eol;
$salesmessage .= "</BODY></HTML>" . $eol;
/* To send HTML mail, the Content-type header must be set */
$headers = 'MIME-Version: 1.0' . $eol;
$headers .= 'Content-type: text/html; charset=iso-8859-1' . $eol;
/* Additional header information */
$headers .= 'To: Sales <' . $mailto . '>' . $eol;
$headers .= 'From: ' . 'AsiWeb <' . $mailfrom . '>' . $eol . $eol;
/* PHP form validation: the script checks that the Email field contains a
valid email address
and the Subject field is not empty. preg_match performs a regular
expression match. It's a
very powerful PHP function to validate form fields and other strings -
see PHP manual for
details. */
if ($email == "") {
echo "<script>alert('Invalid or missing email address')</script>";
echo "<script>history.back(1)</script>";
} elseif ($name == "") {
echo "<script>alert('Invalid or missing name')</script>";
echo "<script>history.back(1)</script>";
} elseif ($company == "") {
echo "<script>alert('Invalid or missing company')</script>";
echo "<script>history.back(1)</script>";
/* Sends the mail and outputs the "Thank you" string if the mail is
successfully sent, or the
error string otherwise. */
} elseif (mail($mailto, $subject, $salesmessage, $headers)) {
echo "<script>";
echo "self.location='../demo_response.html';";
echo "</script>";
} else {
echo "<script>alert('Cannot send email to $mailto')</script>";
echo "<script>history.back(1)</script>";
}
?>
</body>
</html>
The main issue I'm wondering about is if I control the to and from address
and header information for the mail, as I do above, is it possible to inject
something else into the email to hijack the mail server?
Thanks,
Bill

even a 10second glance reveals a few issues
cross site scripting.
header injection may be possible
use of \n\n rather than \r\n

im not sure where your "powerful validate occurs" but its not in this
script as you make no attempt to use regular expressions.

Oh and in case youre wondering - why'd I perform regular
expression validation on a mailto address I control - this is a demo
right, how will you ask the user to put in a valid email address, or
any other data. You'll of course have to use some kind of
validation.

My recommendation is to use a prewritten class to send emails - check
out Zend, or some other framework for some (more) secure scripts,
rolling your own should only be done when you think you can improve on
the work of others with years of experience - often learned the hard
way! The last thing you want is to have your email server blacklisted.

if you use a secure class you script will look something like

$email->setTo( $mailto );
$email->setFrom( $mailto );
$email->setMsg( $mailto );
if( !$email->send() )
{
echo 'it wasnt sent';
}
else
{
echo 'it was';
}

the prevention of injection occurs elsewhere, but don't repeat your
mistake of echoing back to the screen what the user has input unless
you use htmlentities or some other filtering on the input.

Or else a user can use this to take control of your webpages, this is
the XSS I was talking about. This is pretty much rule number 1 of
server side coding with forms, since you go on to send emails, I think
perhaps you should check out WASC webpages to see the complexity of
decent secure dynamic pages before you get into hot water.

Next Message: mod_rewrite rules for live site

Blogs related to Securing an Email script

I am building hosting a web server technically a test server I ...
and php scripts need to be able to write to it as well. so i have to man istall the the driver. i have newly installed ubuntu and the login screen comes after about 5 min . I wonder why does it take so much time . Can anybody help me? ...

access database design diego san
... access database schema access database script access database scripts access database search access database search code access database search engine access database search form access database searching access database securing ...

WDVL Weekly Newsletter
e-mail? Tucked away in Windows XP is a built-in utility called Network Diagnostics that can save some time and effort by automatically scanning various aspects of your connection with a single click. ...

Computer Security Information
Setting Up IIS And Securing Streamed Content 69. Articles On How To Securing Hardening BSD 70. Step By Step Guide To Secure Win2k 71. Documents About Windows9x ME Hardening 72. Documents About General Hardening ...

[SQL and Code Injection] Properly securing log-in?
Ok, below is my php script for my login form. My problem? I am vulnerable to sql injection, its been proven. Could someone possibly use my script to actually show me how to secure this properly? I would really appreciate it! ...

Hacker taunts eBay with attacks- eBay is not secure!
... someone calling themselves Vladuz was selling a set of PHP files designed to create phishing sites that would collect eBay data. "It is a very basic SDK [software development kit], allowing script kiddies to set up a phishing email ...