Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.php > #1190

Re: My contact form is not emailed to me

From "P E Schoen" <paul@pstech-inc.com>
Newsgroups comp.lang.php
Subject Re: My contact form is not emailed to me
Date 2011-04-19 00:33 -0400
Organization Aioe.org NNTP Server
Message-ID <ioj3bo$dv2$1@speranza.aioe.org> (permalink)
References (5 earlier) <8d59976e-bbfc-4552-8505-df661de50c1b@l14g2000pre.googlegroups.com> <iofgr1$f0$1@dont-email.me> <iofj5t$7gi$1@dont-email.me> <iois3u$vor$1@speranza.aioe.org> <ioito7$1r5$1@dont-email.me>

Show all headers | View raw

"Jerry Stuckle"  wrote in message news:ioito7$1r5$1@dont-email.me...

> Just remember - never trust ANYTHING from the user.  You may have
> email addresses hardcoded into your forum.  But there is NOTHING
> which says the request has to come from YOUR form.  They can make
> up any form they want and send whatever data they want to your page.

I realize that, but the authorized names and emails are hard coded in the 
PHP script which is invoked from the HTML form using POST variables. Of 
course, a hacker could figure that out and use his own form to try to access 
the script for mass emailing or whatever, but he would not get past the 
authentication without somehow knowing the names and addresses, and then 
also the password.

> And I don't use htmlpurifier, but I would be very surprised if they
> were to take out stuff which could be used to make your site a spam
> relay. After all, things like newline characters are quite valid input
> values. It's how they are used which makes a difference.  And
> htmlpurifier doesn't know how you're going to use it.

The headers are pretty much hard-coded as well, except for including the 
name and email address of the user in the subject. Since they both must pass 
strict authentication, additional malevolent headers cannot be injected 
there. Everything else is formatted in the body of the message, which is 
passed through the purifier.

> And finally - "only a small group of trusted members" is one of the
> most famous lines used by people who got their website hacked.
> That may be your intent.  But hackers are good at getting around
> restrictions, especially if you're not sure of what you're doing.

I freely admit to not knowing all (or even most) of the "gotchas", but 
without lots of experience or extensive study of the subject, I don't know 
how to determine if what I have is "safe". I could probably submit the code 
to someone like you (probably for a fee), to review the code and fix the 
security leaks, or maybe I could find a benevolent hacker to attempt to hack 
the site.

What would be really useful would be a sort of "verifier" that would perform 
the usual attempts and then report on the degree of vulnerability. Is such a 
service available? I think it would be worth even a moderate "pay per view" 
of a dollar or two to obtain such a security risk report. I know that I 
would make good use of it, and it would also be helpful to the OP. My own 
site is being built on a volunteer basis for a non-profit organization 
(Sierra Club Greater Baltimore Group), so our funds are limited. I am 
actually hosting their site on my own server, because the portion of the 
National site that I am authorized to access does not have CGI capability.

Thanks,

Paul

Back to comp.lang.php | Previous | NextPrevious in thread | Next in thread | Find similar | Unroll thread

Thread

My contact form is not emailed to me nathanir <rajeshn923@gmail.com> - 2011-04-16 00:36 -0700
  Re: My contact form is not emailed to me Jerry Stuckle <jstucklex@attglobal.net> - 2011-04-16 10:04 -0400
    Re: My contact form is not emailed to me nathanir <rajeshn923@gmail.com> - 2011-04-16 07:36 -0700
      Re: My contact form is not emailed to me Jerry Stuckle <jstucklex@attglobal.net> - 2011-04-16 16:11 -0400
      Re: My contact form is not emailed to me "P E Schoen" <paul@pstech-inc.com> - 2011-04-16 16:25 -0400
        Re: My contact form is not emailed to me Jerry Stuckle <jstucklex@attglobal.net> - 2011-04-16 17:40 -0400
          Re: My contact form is not emailed to me nathanir <rajeshn923@gmail.com> - 2011-04-17 10:27 -0700
            Re: My contact form is not emailed to me "MG" <nospam@nospam.com> - 2011-04-17 21:58 +0200
              Re: My contact form is not emailed to me Jerry Stuckle <jstucklex@attglobal.net> - 2011-04-17 16:39 -0400
                Re: My contact form is not emailed to me "P E Schoen" <paul@pstech-inc.com> - 2011-04-18 22:30 -0400
                Re: My contact form is not emailed to me Jerry Stuckle <jstucklex@attglobal.net> - 2011-04-18 22:58 -0400
                Re: My contact form is not emailed to me "P E Schoen" <paul@pstech-inc.com> - 2011-04-19 00:33 -0400
                Re: My contact form is not emailed to me Jerry Stuckle <jstucklex@attglobal.net> - 2011-04-19 06:29 -0400
                Re: My contact form is not emailed to me "P E Schoen" <paul@pstech-inc.com> - 2011-04-20 13:46 -0400
                Re: My contact form is not emailed to me The Natural Philosopher <tnp@invalid.invalid> - 2011-04-20 18:51 +0100
                Re: My contact form is not emailed to me "P E Schoen" <paul@pstech-inc.com> - 2011-04-20 16:41 -0400
                Re: My contact form is not emailed to me Jerry Stuckle <jstucklex@attglobal.net> - 2011-04-20 16:59 -0400
                Re: My contact form is not emailed to me Jerry Stuckle <jstucklex@attglobal.net> - 2011-04-20 16:55 -0400
                Re: My contact form is not emailed to me "P E Schoen" <paul@pstech-inc.com> - 2011-04-20 19:58 -0400
                Re: My contact form is not emailed to me Jerry Stuckle <jstucklex@attglobal.net> - 2011-04-20 23:44 -0400
                Re: My contact form is not emailed to me "P E Schoen" <paul@pstech-inc.com> - 2011-04-21 04:04 -0400
                Re: My contact form is not emailed to me Jerry Stuckle <jstucklex@attglobal.net> - 2011-04-21 06:29 -0400
                Re: My contact form is not emailed to me "P E Schoen" <paul@pstech-inc.com> - 2011-04-21 04:31 -0400
                Re: My contact form is not emailed to me Jerry Stuckle <jstucklex@attglobal.net> - 2011-04-21 06:32 -0400
                Re: My contact form is not emailed to me crankypuss <no@email.thanks> - 2011-04-21 04:37 -0600
                Re: My contact form is not emailed to me "P E Schoen" <paul@pstech-inc.com> - 2011-04-21 13:42 -0400
                Re: My contact form is not emailed to me "Mr. B-o-B" <mr.chew.baka@gmail.com> - 2011-04-21 15:21 -0500
                Re: My contact form is not emailed to me Jerry Stuckle <jstucklex@attglobal.net> - 2011-04-21 20:04 -0400
                Re: My contact form is not emailed to me "P E Schoen" <paul@pstech-inc.com> - 2011-04-22 00:45 -0400
                Re: My contact form is not emailed to me The Natural Philosopher <tnp@invalid.invalid> - 2011-04-22 11:07 +0100
                Re: My contact form is not emailed to me Jerry Stuckle <jstucklex@attglobal.net> - 2011-04-22 07:07 -0400
                Re: My contact form is not emailed to me "P E Schoen" <paul@pstech-inc.com> - 2011-04-22 15:28 -0400
                Re: My contact form is not emailed to me "P E Schoen" <paul@pstech-inc.com> - 2011-04-23 04:32 -0400
                Re: My contact form is not emailed to me "Peter H. Coffin" <hellsop@ninehells.com> - 2011-04-22 08:23 -0500

csiph-web