SitePoint Sponsor

User Tag List

Results 1 to 8 of 8
  1. #1
    SitePoint Enthusiast
    Join Date
    Nov 2001
    Location
    London, UK
    Posts
    76
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    PHP Mail Security?

    "When calling the system mail program we must be careful of what characters we are sending to it. Becuase we are opening a Unix pipe, it is possible for malicious users to enter shell meta characters into form inputs that later are passed to sendmail. The results can be disastrous."
    I was wondering if the above only applies to 'SendMail', and not the 'Mail' function?
    I'm testing this referal script called 'V-Ine' which is working nicely, but I'm worried whether or not there is a serious security risk with it as mentioned above?

    The script which I'm talking about is as follows:

    <?

    ////////////////////////////////////////////////////////////
    //
    // v-ine.php - a Web site referral service
    //
    ////////////////////////////////////////////////////////////
    //
    // This script allows your visitors to send recommendations
    // of your site to their friends.
    //
    // See readme.txt for more information.
    //
    // Author: Jon Thomas <jthomas@spiderdepot.com>
    // Last Modified: 7/15/01
    //
    // You may freely use, modify, and distribute this script.
    // You may remove this notice.
    //
    ////////////////////////////////////////////////////////////

    // define the variables
    // the message to send if the user does not supply their own
    $defaultMsg = "Hey $friend_name, check out this great site! It offers $25/hour custom CGI programming plus an archive of free CGI scripts, fully documented and supported.";
    // the url for the "thanks" page
    $thanksURL = "thanks.html";

    // DO NOT EDIT BELOW THIS POINT UNLESS YOU KNOW PHP! //

    // determine whether email valid
    function is_email($email)
    {
    if (ereg('[0-9a-z]+'. // username contains alphanumeric chars
    '@'. // contains @
    '[0-9a-z]+'. // domain name contains alphanumeric chars
    '\.'. // contains .
    '[a-z]{2,4}', // domain contains 2-4 alphabetical chars
    $email)) {
    return TRUE;
    }
    else {
    return FALSE;
    }
    }

    // if the necessary user input is not provided, print an error msg
    if ($you_name == "" | | $you_email == "" | | $friend_name == "" | | $friend_email == "") {
    die("<p><b>Whoops!</b> You must fill in in your name and address and your friend's name and address. Please <a href=javascript:history.back(1)>go back</a> and fill in the other information.</p>");
    }

    // if an e-mail address are invalid, print an error msg
    if (!is_email($you_email) | | !is_email($friend_email)) {
    die("<p><b>Whoops!</b> An e-mail address you supplied was invalid. Please <a href=javascript:history.back(1)>go back</a> and correct this information.</p>");
    }

    // if the url is not set, print an error msg
    if (!isset($url)) {
    die("<p><b>Whoops!</b> The webmaster did not properly configure <i>v-ine</i>. Please send him an e-mail about this problem.</p>");
    }

    // get the date and time
    $datetime = date('l, F j \a\t g:i A T');

    // if the user did not enter his own message, use the default
    if ($message == "A default message will be sent if you do not enter your own message.") {
    $message = $defaultMsg;
    }

    // send the referral
    mail($friend_email, "Check out this great site!", "$message\n\nURL: $url\n\nYour friend, $you_name", "From: $you_email");

    // if the webmaster's e-mail address is provided, send him a notice
    if (isset($webmaster)) {
    mail($webmaster, "Referral Notice", "$you_name <$you_email> referred $friend_name <$friend_email> to $url on $datetime with the following message:\n\n$message", "From: v-ine");
    }

    // redirect to "thanks" page
    header("Location: $thanksURL");

    ?>

    Thanks.

  2. #2
    SitePoint Zealot
    Join Date
    Oct 2001
    Location
    Dallas/Ft. Worth
    Posts
    101
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    re:

    Actually, sendmail is a Unix program that sends email and PHP mail() function uses this program to send emails. So, if you believe in what you quoted and think it applies to your case, then yes, you should worry. Personally, I'm not aware of that issue.

    However, you have one issue with your script. Your, or your host's, mailserver can easily be used to send "illegal" messages and spam people. You do not check for the refferer anywhere and I believe that you want only messages coming from your domain to be sent. So to fix this, you should go to http://zend.com and look at one of the tutorials of how to code a good mail function. (sorry I don't have the exact link but you should be able to easily find what I'm talking about) - btw, their forum is great source for PHP related questions and you should post your questions there as well. Please post the answer here as well if you find something different than what I just wrote.

    Thanks and good luck!

  3. #3
    Making a better wheel silver trophy DR_LaRRY_PEpPeR's Avatar
    Join Date
    Jul 2001
    Location
    Missouri
    Posts
    3,428
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    i don't think it's a problem in PHP. i don't know what that script is talking about -- THEY'RE NOT opening a pipe to sendmail anywhere. security problems arise with sendmail when you pass what you believe to be an e-mail address as a parameter to the program. it's not a problem when the address is specified seperately (with the To: address command). in that case you (PHP itself actually) open sendmail with the -t parameter, which is the default behavior in PHP.

    i'm sure it's safe b/c after a quick look at the PHP source code, they are indeed specifying the address with the To: address command -- the address is not passed as a parameter to the program, and, as far as i know, that would be the only security problem (and it's not an issue here).
    - Matt ** Ignore old signature for now... **
    Dr.BB - Highly optimized to be 2-3x faster than the "Big 3."
    "Do not enclose numeric values in quotes -- that is very non-standard and will only work on MySQL." - MattR

  4. #4
    SitePoint Enthusiast
    Join Date
    Nov 2001
    Location
    London, UK
    Posts
    76
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    ...

    Thanks people.

    Ahajdar, this is what I found at http://zend.com:

    "Checking an e-mail address

    One of the most common forms of validation is checking an e-mail address to make sure that it is valid. Many novice programmers will just use a regular expression that they grabbed off one of the mailing lists or from a code repository. However, a regular expression is not sufficient if you want to secure accurate results. There are a couple methods you can use, instead, that are more secure:

    Socket Validation

    InteractiveValidation


    Socket validation
    One way of validating an e-mail address without directly involving the user is to open up a socket to the server they give you for their e-mail address and check to find their username.

    Advantages

    No inconvenience to the user as everything is done transparently.
    Weeds out many phony addresses that wouldn't be caught by a regular expression (such as joe@fgsdh.com).

    Disadvantages

    Will not catch valid but mistaken addresses. For example, if John Doe submits my e-mail address, (sterling@php.net), the message will be processed, in spite of it being my address instead of his.
    Slower than using a regular expression to validate an e-mail address.

    User's mail server may be temporarily down, causing a valid address to not be recognized.


    Interactive Validation

    Another method of validating an e-mail address is by sending a special "key" to the users e-mail box, and then requiring the user to enter in that special key in order to continue. This ensures that not only that the e-mail address will be valid, but that the user will also have legal access to an e-mail account.

    Advantages

    It is the best way to ensure that a user has a valid e-mail address. (They must have access to the e-mail address they give you in order to register.)

    Disadvantages

    Requires that a user take extra steps in order to submit their data. This will annoy users intended on fooling you.

    Like every method, it is not fool proof. The user can create a temporary account with Hotmail or Netaddress and then use that account to register onto your site."


    So, if I've this correctly, then I don't think it's really worth checking for the refferer in this case because of the disadvantages, as stated above?

  5. #5
    SitePoint Enthusiast
    Join Date
    Nov 2001
    Location
    London, UK
    Posts
    76
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    IP addresses...?

    Hi.

    I've just thought of a way which may deter spammers, malicious users...

    What if you were to record the IP address of users (which you could include in the email which is sent to the webmaster every time someone uses the script), then if you find that users with certain IP's are abusing the referal script, you could then put those IP's in a 'don't send mail if user has this IP' list?

    Would someone be kind enough to let me know if this is possible & also how I would go about doing this to include it in the script provided in the first post.

  6. #6
    SitePoint Zealot
    Join Date
    Oct 2001
    Location
    Dallas/Ft. Worth
    Posts
    101
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    re:

    Couple of things here...concerning IP question and Referrer.

    What refferer check does is it makes sure that the email request came from your domain and your domain only. Others can use your mail server to send messages and this is what you should try to avoid for obvious reason that they could bring your host's mail server down. Let's say a porn website wants to send emails to "random" users. Do you really want them using your mail server to do so? Unless they physically type in the message on the form on your domain, they cannot send these kind of emails. - this assumes that you make a check the email comes from your domain.

    As for IP, you could block IPs, but most people these days use dynamic IPs to connect to the internet so it really wouldn't make much sense to block certain IPs.

    I hope this helps bring another view.

  7. #7
    SitePoint Enthusiast
    Join Date
    Nov 2001
    Location
    London, UK
    Posts
    76
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Refferer check...?

    Ahajdar, I think I'm getting confused here!

    "What refferer check does is it makes sure that the email request came from your domain and your domain only...Unless they physically type in the message on the form on your domain, they cannot send these kind of emails. - this assumes that you make a check the email comes from your domain"

    Can someone send email with that script from another domain & can they send email without filling the form in? As I'm confused these questions may not make sense!

  8. #8
    SitePoint Zealot
    Join Date
    Oct 2001
    Location
    Dallas/Ft. Worth
    Posts
    101
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    re:

    Exactly as you asked...someone can send email without physically accessing your form. They can look at what variables are being "post"-ed in your form and just do the same thing from their script. However they cannot fake the domain variable from which vars are being posted so that's what you should check to be safe. I've seen code on zend.com that walks you through this (tells you how to protect yourself against this kind of a malicous user) so you should check this especially if you're hosting your site on your server and not a third party host. Of course if you want to be nice, you can try to protect their mail server too.
    The url of the explanation with the code is at:
    http://www.zend.com/zend/spotlight/f....php#Heading13

    I hope this clears everything.

    Good Luck!


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •