Free Articles, Free Web Content, Reprint Articles
Tuesday, December 11, 2018
 
Free Articles, Free Web Content, Reprint ArticlesRegisterAll CategoriesTop AuthorsSubmit Article (Article Submission)ContactSubscribe Free Articles, Free Web Content, Reprint Articles
 

Security Hole Mail Header Injection at PHP

If you use PHP language to send an email (especially if using HTML form), you must take extra precautions. In the last few weeks, many have tried actively exploiting PHP scripts that use mail() functi...

If you use PHP language to send an email (especially if using HTML form), you must take extra precautions. In the last few weeks, many have tried actively exploiting PHP scripts that use mail() function:mail($recipient, $subject, $message, [$extraheaders], [$extraparams]);Most general mistakes that have done by PHP programmer are, they didn't validate every variables that coming to their server. If there's some variables from HTML form, then someone can adding any header into it and that can cause trouble to your server or might send spams by using your server.

As an example, let see this sample code:mail("me@example.net", $subject, $text, "From: $emailn");would have security hole if you didn't validate $subject variable and $email variable.

The simple way to detect header injection exploitation is by checking whether there's newline character (r or n) at those variables. Here's the example to check $subject variable:

Make sure that you check every variable that coming to your server. Beside the example above, you must also check $email variable that being used in mail() function.

Here's the sample PHP code that i've used to prevent spam injection (your critics and suggestions are very welcome)

function logbad($value) {
  $report_to = "your_email";
  $name = www.monx007.com;
  $mail = "from_email"; // replace this with your own get_ip function...
  $ip = (empty($_SERVER['REMOTE_ADDR'])) ? 'empty' : $_SERVER['REMOTE_ADDR'];
  $rf = (empty($_SERVER['HTTP_REFERER'])) ? 'empty' : $_SERVER['HTTP_REFERER'];
  $ua = (empty($_SERVER['HTTP_USER_AGENT'])) ? 'empty' : $_SERVER['HTTP_USER_AGENT'];
  $ru = (empty($_SERVER['REQUEST_URI'])) ? 'empty' : $_SERVER['REQUEST_URI'];
  $rm = (empty($_SERVER['REQUEST_METHOD'])) ? 'empty' : $_SERVER['REQUEST_METHOD'];
  $headers = "MIME-Version: 1.0n";
  $headers .= "Content-type: text/plain; charset=iso-8859-1n";
  $headers .= "X-Priority: 1n";
  $headers .= "X-MSMail-Priority: Normaln";
  $headers .= "X-Mailer: phpn";
  $headers .= "From: "".$nama."" rnrn";
  @mail ( $report_to ,"[ABUSE] mailinjection @ " . $_SERVER['HTTP_HOST'] . " by " . $ip ,"Stopped possible mail-injection @ " . $_SERVER['HTTP_HOST'] . " by " . $ip . " (" . date('d/m/Y H:i:s') . ")rnrn" . "*** IP/HOSTrn" . $ip . "rnrn" . "*** USER AGENTrn" . $ua . "rnrn" . "*** REFERERrn" . $rf . "rnrn" . "*** REQUEST URIrn" . $ru . "rnrn" . "*** REQUEST METHODrn" . $rm . "rnrn" . "*** SUSPECTrn--rn" . $value . "rn--" ,$headers ); }// Check 1 //First, make sure the form was posted from a browser. // For basic web-forms, we don't care about anything // other than requests from a browser: if(!isset($_SERVER['HTTP_USER_AGENT'])){ die('Forbidden - You are not authorized to view this page (0)'); exit;}// Cek 2 // Make sure the form was indeed POST'ed: // (requires your html form to use: action="post") if(!$_SERVER['REQUEST_METHOD'] == "POST") { die('Forbidden - You are not authorized to view this page (1)'); exit; }// Host names from where the form is authorized // to be posted from: $authHosts = array("yourdomain.com");// Where have we been posted from? $fromArray = parse_url(strtolower($_SERVER['HTTP_REFERER']));// Test to see if the $fromArray used www to get here. $wwwUsed = strpos($fromArray['host'], "www.  ");
  // Make sure the form was posted from an approved host name.
  if(!in_array(($wwwUsed === false ? $fromArray['host'] : substr(stristr($fromArray['host'], '.'), 1)), $authHosts)) {
    logbad("Form was not posted from an approved host name");
    die(' Forbidden - You are not authorized to view this page (2)');
    exit;
  }
  // Attempt to defend against header injections:
  $badStrings = array("content-type:", "mime-version:", "content-transfer-encoding:", "multipart/mixed", "charset=", "bcc:", "cc:");
  // Loop through each POST'ed value and test if it contains
  // one of the
  $badStrings: foreach($_POST as $k => $v) {
    foreach($badStrings as $v2) {
      if(strpos(strtolower($v), $v2) !== false) {
        logbad($v);
        die('Form processing cancelled: string (`'.$v.'`) contains text portions that are potentially harmful to this server. Your input has not been sent! Please use your browser's `back`-button to return to the previous page and try rephrasing your input.');
        exit;
      }
    }
  }

// Made it past spammer test, free up some memory
// and continuing the rest of script: unset($k, $v, $v2, $badStrings, $authHosts, $fromArrayFree Articles, $wwwUsed);

See these sites below to find additional information:

http://securephp.damonkohler.com/index.php/

Email_Injection

http://us2.php.net/mail (look at the comment section)

Source: Security Hole Mail Header Injection at PHP

Article Tags: Security Hole Mail, Hole Mail Header, Mail Header Injection, Security Hole, Hole Mail, Mail Header, Header Injection, Html Form, Make Sure, Nbsp $headers, Posted From

Source: Free Articles from ArticlesFactory.com

ABOUT THE AUTHOR


Copyrighted by Monx Digital Library



Health
Business
Finance
Travel
Technology
Home Repair
Computers
Marketing
Autos
Family
Entertainment
Law
Education
Communication
Other
Sports
ECommerce
Home Business
Self Help
Internet
Partners


Page loaded in 0.256 seconds