[brendandonhue]

But he is using a post method not a get method for the form. ok i see because he is using the $_REQUEST tage is the issue try using $_POST

Whoops didn't see your edit. Switching from $_REQUEST to $_POST won't fix the injection issue. It just makes it slightly harder to exploit (meaing you might need to use telnet to exploit it instead of a web browser.)

[Advertisements]

Ok, so you've got this script at http://mysite.com/sendmail.php
Enter this in your browser's address bar, and there you go

http://www.mysite.com/[email protected]%0aTo:%[email protected]&message=Exploited

That inserts a To: header, adding another recipient to the email.

I tried it and this is the response I got from the browser:

Warning: mail(): SMTP server response: 550 <[email protected]>, Recipient unknown in C:\Documents and Settings\TCassels\Desktop\web\sendmail1.php on line 6

Warning: Cannot modify header information - headers already sent by (output started at C:\Documents and Settings\TCassels\Desktop\web\sendmail1.php:6) in C:\Documents and Settings\TCassels\Desktop\web\sendmail1.php on line 7

I had to change the name of sendmail.php to sendmail1.php because I already have that filename used. Any other ideas on how I can secure this script?

[amunra]

Ok, so you've got this script at http://mysite.com/sendmail.php
Enter this in your browser's address bar, and there you go

http://www.mysite.com/[email protected]%0aTo:%[email protected]&message=Exploited

That inserts a To: header, adding another recipient to the email.

I tried it and this is the response I got from the browser:

Warning: mail(): SMTP server response: 550 <[email protected]>, Recipient unknown in C:\Documents and Settings\TCassels\Desktop\web\sendmail1.php on line 6

Warning: Cannot modify header information - headers already sent by (output started at C:\Documents and Settings\TCassels\Desktop\web\sendmail1.php:6) in C:\Documents and Settings\TCassels\Desktop\web\sendmail1.php on line 7

I had to change the name of sendmail.php to sendmail1.php because I already have that filename used. Any other ideas on how I can secure this script?

[brendandonhue]

Sounds like your host requires some kind of SMTP authentication. IMO the easiest way to secure it is to not put "From $email" into the headers. Or you could get fancy and use a regular expression to remove newlines and colons from $email before sending.

Edited by brendandonhue, 16 January 2006 - 09:16 PM.

[amunra]

As far as I know my host does not require authenication. I host my website on my own computer using abyss webserver x1 with php support.

[brendandonhue]

I see..might be some difference in configuration with your mail server then. I tried it on my host (netbunch.com) and the emails went through.

[Magosis]

at this point I belive it is a simple matter of port managment but i may be wrong I'm a developer not a sysadmin (well actualy I'm tech support ) but I do web development on the side

[ScHwErV]

Agreed, I tried your exploit on my web servers and it didnt work. It must be a flawed setup with your ISP.

That said, I will look at fixing the parts where the exploit may work and fix it in the tutorial (if that is ok with amunra) so that people without properly secured servers dont get in trouble with this tutorial.

ScHwErV

[amunra]

Shure go ahead, just pm me the changes so I know what I need to change to my other scripts(sometimes I am stupid and cant see the differences in posts ).

[brendandonhue]

There's more info on this kind of problem here: http://securephp.dam...Email_Injection
Seems like its not limited to certain insecure servers, I bet it can be exploited on most hosts.

Edited by brendandonhue, 18 January 2006 - 07:01 PM.

[wit_vivek]

nice description thanks take a look at this source too

http://bit.ly/gBqKsj