Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
- Is this attack harmless or harmful?
September 7, 2005, 5:52 pm
rate this thread
it hits my form about 10 times in a couple of seconds. It adds email
header info into a textarea box as printed below:
Content-Type: multipart/mixed; boundary="===============0845246937=="
This is a multi-part message in MIME format.
Content-Type: text/plain; charset="us-ascii"
I tried manually entering this into the field and substituting my own
address. It didn't seem to generate an email to me.
I'm using PHP4's mail() function to add $_POST contents to the
message body, so this never does make it into the header section.
However, since I really don't want my domains to come up on some
"frequent spammers" list, I'd like to be certain.
Am I in trouble here?
Also, if I just do a str_replace() to change any occurance of "MIME"
into something innocuous, will that fortify my defenses?
Re: Is this attack harmless or harmful?
The world is full of jerks. What's happening here is that someone is trying
to insert additional headers (Subject, To, From, etc.) into the email
generated by your form. The multipart/mixed business is there to split the
email up so that whatever you *think* you're putting in the email is never
actually seen. Instead the spammer has complete control over the content of
Fortunately PHP seems to have detected this and is refusing to send the
email. But really you should never *ever* take user-generated data straight
from a POST or GET request and put it into an email (or a database, or
anything else for that matter).
For example, the following script is unsafe because the "from" field can be
used to insert other headers (like "Cc", for example) to send email
anonymously to other recipients.
$to = 'email@example.com';
$from = $_POST['from'];
$subj = $_POST['subject'];
$msg = $_POST['msg'];
mail($to, $subj, $msg, 'From: ' . $from);
So basically you need to make damn sure your email script doesn't send
anything unless you're COMPLETELY satisfied that the data provided by the
user is genuine and safe to use. Treat *everything* with suspicion.
phil [dot] ronan @ virgin [dot] net
- » /usr/local/include/expat.h:971: error: conflicting types for 'XML_FEATURE_UNICODE'
- — Previous thread in » PHP Scripting Forum