mail() injection, am i safe?

Re: mail() injection, am i safe?

They can also inject stuff in the "Subject" line..

You should run your name, e-mail and subject lines through a test function
like mine:

function isUnsafe($str)
{
if (eregi('Content-Type', $str))
return true;

if (eregi('multipa rt/mixed', $str))
return true;

if (eregi('bcc:', $str))
return true;

return false;
}

Probably isn't sufficient, but the "Content-Type" and "multipart" stuff is
dangerous.

You should also hardcode the headers yourself with "Content-Type:
text/html".

HTH
Lisa


"Simon" <spambucket@exa mple.com> wrote in message
news:3tjbrrFt8t b1U1@individual .net...[color=blue]
> Hi,
>
> I was looking at mail injection,
> http://securephp.damonkohler.com/ind...mail_Injection
>
> And I was wondering if my mail(...) was safe.
>
> I ask in a form for
> 1 Name
> 2 Email address
> 3 Subject
> 4 Comment/Message
>
> I then build one message by putting all of the above together.
> So even if there was injection, it is all in the body of my message,
> right?
>
> I then use mail(...) as per normal with my hard coded "To:" and "Subject:"
>
> Is that a fairly safe way?
>
> How should I parse my form to prevent malicious code, (Script? eval?)
>
> Many thanks for your input.
>
> Simon
>
>
>
>[/color]

Re: mail() injection, am i safe?


"Lisa Pearlson" <no@spam.plz> wrote in message
news:4374b2f5$0 $6554$e4fe514c@ dreader16.news. xs4all.nl...[color=blue]
> They can also inject stuff in the "Subject" line..
>
> You should run your name, e-mail and subject lines through a test function
> like mine:
>
> function isUnsafe($str)
> {
> if (eregi('Content-Type', $str))
> return true;
>
> if (eregi('multipa rt/mixed', $str))
> return true;
>
> if (eregi('bcc:', $str))
> return true;
>
> return false;
> }
>
> Probably isn't sufficient, but the "Content-Type" and "multipart" stuff is
> dangerous.
>
> You should also hardcode the headers yourself with "Content-Type:
> text/html".
>
> HTH
> Lisa
>[/color]

Thanks, but my subject is also hard coded, in fact, everything is hard
coded.
I place everything together into the body of the message itself.

My question would be more, what can they inject in the actual body of the
email?

Simon

Re: mail() injection, am i safe?

"Lisa Pearlson" wrote:
[color=blue]
> They can also inject stuff in the "Subject" line..
>
> You should run your name, e-mail and subject lines through a test function
> like mine:
>
> function isUnsafe($str)
> {
> if (eregi('Content-Type', $str))
> return true;
>
> if (eregi('multipa rt/mixed', $str))
> return true;
>
> if (eregi('bcc:', $str))
> return true;
>
> return false;
> }
>
> Probably isn't sufficient, but the "Content-Type" and "multipart" stuff is
> dangerous.[/color]

This was discussed here just a few days ago:

5372dfc1/7da226ecec244de a

Generally it's better to check that the submitted data conforms to a *valid*
pattern than to check it against specific *invalid* patterns. Among other
things, your routine won't detect any linefeeds, which provide a simple
means of inserting additional headers (and even body content) into an email.

So for example, if you think a valid "Subject" should consist of between 1
and 200 characters with ASCII codes of 32 or more (i.e. no control
characters), then *don't accept anything else*.

You should also make sure your script cannot be affected by user input that
contains, for example, quotation marks or HTML tags. For example, suppose
your error routine consists of something like this:

<?
:
:
$subject = $_GET["subject"];
if (!isValid($subj ect))
die("<P>Sorry, but \"$subject\" is not a valid subject string.</P>");
:
:
?>

If you haven't checked that $subject contains no HTML tags, then the hacker
can insert whatever he likes into your HTML, such as a link to some other
website, or piece of Javascript that redirects the page automatically. That
would be a serious problem if the page was part of an online banking site
(Google for "phishing" if you can't figure out why).

--
phil [dot] ronan @ virgin [dot] net

Re: mail() injection, am i safe?

Just make sure that you're stripping linefeeds/carriage-returns from
all the fields.

Re: mail() injection, am i safe?

I agree, but some characters are valid in names in some countries, like
"Gert-Jan v/d Boer". So sometimes it can actually be harder to know what to
expect, than it it to know what is definitely wrong (like specific key words
or SQL statements).


"Philip Ronan" <invalid@invali d.invalid> wrote in message
news:BF9A6AFB.3 AB44%invalid@in valid.invalid.. .[color=blue]
> "Lisa Pearlson" wrote:
>[color=green]
>> They can also inject stuff in the "Subject" line..
>>
>> You should run your name, e-mail and subject lines through a test
>> function
>> like mine:
>>
>> function isUnsafe($str)
>> {
>> if (eregi('Content-Type', $str))
>> return true;
>>
>> if (eregi('multipa rt/mixed', $str))
>> return true;
>>
>> if (eregi('bcc:', $str))
>> return true;
>>
>> return false;
>> }
>>
>> Probably isn't sufficient, but the "Content-Type" and "multipart" stuff
>> is
>> dangerous.[/color]
>
> This was discussed here just a few days ago:
> http://groups.google.co.uk/group/com...hread/689f9ef1
> 5372dfc1/7da226ecec244de a
>
> Generally it's better to check that the submitted data conforms to a
> *valid*
> pattern than to check it against specific *invalid* patterns. Among other
> things, your routine won't detect any linefeeds, which provide a simple
> means of inserting additional headers (and even body content) into an
> email.
>
> So for example, if you think a valid "Subject" should consist of between 1
> and 200 characters with ASCII codes of 32 or more (i.e. no control
> characters), then *don't accept anything else*.
>
> You should also make sure your script cannot be affected by user input
> that
> contains, for example, quotation marks or HTML tags. For example, suppose
> your error routine consists of something like this:
>
> <?
> :
> :
> $subject = $_GET["subject"];
> if (!isValid($subj ect))
> die("<P>Sorry, but \"$subject\" is not a valid subject string.</P>");
> :
> :
> ?>
>
> If you haven't checked that $subject contains no HTML tags, then the
> hacker
> can insert whatever he likes into your HTML, such as a link to some other
> website, or piece of Javascript that redirects the page automatically.
> That
> would be a serious problem if the page was part of an online banking site
> (Google for "phishing" if you can't figure out why).
>
> --
> phil [dot] ronan @ virgin [dot] net
> http://vzone.virgin.net/phil.ronan/
>[/color]

Re: mail() injection, am i safe?

[color=blue]
> If you haven't checked that $subject contains no HTML tags, then the
> hacker
> can insert whatever he likes into your HTML, such as a link to some other
> website, or piece of Javascript that redirects the page automatically.
> That
> would be a serious problem if the page was part of an online banking site
> (Google for "phishing" if you can't figure out why).[/color]

Yes, so after "isUnsafe" I actually call htmlspecialchar s()

Re: mail() injection, am i safe?

"Lisa Pearlson" wrote:
[color=blue]
> I agree, but some characters are valid in names in some countries, like
> "Gert-Jan v/d Boer". So sometimes it can actually be harder to know what to
> expect, than it it to know what is definitely wrong (like specific key words
> or SQL statements).[/color]

That's very true. I didn't say this was *easy* did I?

--
phil [dot] ronan @ virgin [dot] net

Re: mail() injection, am i safe?

Simon wrote:
[color=blue]
> My question would be more, what can they inject in the actual body of the
> email?[/color]

Make sure the "additional headers" parameter ends with "\r\n\r\n" and you
ought to be fine.

--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact

Re: mail() injection, am i safe?


"Toby Inkster" <usenet200511@t obyinkster.co.u k> wrote in message
news:40uf43-gsl.ln1@ophelia .g5n.co.uk...[color=blue]
> Simon wrote:
>[color=green]
>> My question would be more, what can they inject in the actual body of the
>> email?[/color]
>
> Make sure the "additional headers" parameter ends with "\r\n\r\n" and you
> ought to be fine.
>[/color]

Sorry, I am still not sure I follow,
Almost everything is hard coded, (the 'to' and the 'subject').

and the header is

"Reply-To: webmaster@examp le.com."\n" .
"From: webmaster@examp le.com."\n" .
"Return-Path: webmaster@examp le.com."\n" .
"MIME-Version: 1.0\n".
"Content-type: text/plain; charset=iso-8859-1\n".
"Content-transfer-encoding: 8bit\n".
"Date: " . date('r', time()) . "\n".
"X-Priority: 3\n".
"X-MSMail-Priority: Normal\n".
"X-Mailer: PHP/" . phpversion();

So are you saying I should add "\r\n\r\n" as well?

the message is created using the info given by the user. _but I don't check
that data_.
What could they inject into the message that would cause mail(...) to be
unsafe?

Thanks

Simon

Re: mail() injection, am i safe?


Simon wrote:[color=blue]
> "Toby Inkster" <usenet200511@t obyinkster.co.u k> wrote in message
> news:40uf43-gsl.ln1@ophelia .g5n.co.uk...[color=green]
> > Simon wrote:
> >[color=darkred]
> >> My question would be more, what can they inject in the actual body of the
> >> email?[/color]
> >
> > Make sure the "additional headers" parameter ends with "\r\n\r\n" and you
> > ought to be fine.
> >[/color]
>
> Sorry, I am still not sure I follow,
> Almost everything is hard coded, (the 'to' and the 'subject').
>
> and the header is
>
> "Reply-To: webmaster@examp le.com."\n" .
> "From: webmaster@examp le.com."\n" .
> "Return-Path: webmaster@examp le.com."\n" .
> "MIME-Version: 1.0\n".
> "Content-type: text/plain; charset=iso-8859-1\n".
> "Content-transfer-encoding: 8bit\n".
> "Date: " . date('r', time()) . "\n".
> "X-Priority: 3\n".
> "X-MSMail-Priority: Normal\n".
> "X-Mailer: PHP/" . phpversion();[/color]

next comes the $message. if the message was
\n bcc: unlucky1@recipi ent.com, unlucky2@adslfk j.com, \n
lemme tell ya bout these blue pills...

(or something like that)
You can see where that aint gonna be too cool.
[color=blue]
> So are you saying I should add "\r\n\r\n" as well?[/color]

that's supposed to make the mailing program quit with the headers and
send the rest as the message.

Re: mail() injection, am i safe?

"juglesh" wrote:
[color=blue]
>
> Simon wrote:[color=green]
>>
>> Almost everything is hard coded, (the 'to' and the 'subject').
>>
>> and the header is
>>
>> "Reply-To: webmaster@examp le.com."\n" .
>> "From: webmaster@examp le.com."\n" .
>> "Return-Path: webmaster@examp le.com."\n" .
>> "MIME-Version: 1.0\n".
>> "Content-type: text/plain; charset=iso-8859-1\n".
>> "Content-transfer-encoding: 8bit\n".
>> "Date: " . date('r', time()) . "\n".
>> "X-Priority: 3\n".
>> "X-MSMail-Priority: Normal\n".
>> "X-Mailer: PHP/" . phpversion();[/color]
>
> next comes the $message. if the message was
> \n bcc: unlucky1@recipi ent.com, unlucky2@adslfk j.com, \n
> lemme tell ya bout these blue pills...[/color]

The php mail() function doesn't work like that. Additional headers are
passed as a separate parameter to the mail() function. There is no need to
add extra linebreaks at the beginning of the body text; PHP will do this
anyway.

If the headers have all been hard-coded like in Simon's example, then the
script is safe. There is no way the POST data can be rigged to insert
additional headers into the email.

--
phil [dot] ronan @ virgin [dot] net

Re: mail() injection, am i safe?

Simon wrote:
[color=blue]
> the message is created using the info given by the user. _but I don't check
> that data_.
> What could they inject into the message that would cause mail(...) to be
> unsafe?[/color]

$_POST['message'] = "BCC: me@example.com\r\n\r\nlalala" ;

--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact

Re: mail() injection, am i safe?

"Toby Inkster" wrote:
[color=blue]
> Simon wrote:
>[color=green]
>> the message is created using the info given by the user. _but I don't check
>> that data_.
>> What could they inject into the message that would cause mail(...) to be
>> unsafe?[/color]
>
> $_POST['message'] = "BCC: me@example.com\r\n\r\nlalala" ;[/color]

Totally ineffective.

The $message parameter is not added to the headers. All you would manage to
do is create an email containing the following body:
[color=blue]
> BCC: me@example.com
>
> lalala[/color]

Try reading up on the subject:
<http://uk2.php.net/manual/en/function.mail.p hp>
<http://www.ietf.org/rfc/rfc0822.txt>

--
phil [dot] ronan @ virgin [dot] net

Re: mail() injection, am i safe?

Philip Ronan wrote:
[color=blue]
> The $message parameter is not added to the headers.[/color]

So naïve! They're all concatenated and passed to the sendmail binary.

--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact