Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

PHP email script


  • Please log in to reply

#16
brendandonhue

brendandonhue

    Member

  • Member
  • PipPipPip
  • 180 posts

But he is using a post method not a get method for the form. ok i see because he is using the $_REQUEST tage is the issue try using $_POST

Whoops didn't see your edit. Switching from $_REQUEST to $_POST won't fix the injection issue. It just makes it slightly harder to exploit (meaing you might need to use telnet to exploit it instead of a web browser.)
  • 0

Advertisements


#17
amunra

amunra

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 112 posts

Ok, so you've got this script at http://mysite.com/sendmail.php
Enter this in your browser's address bar, and there you go

http://www.mysite.com/sendmail.php?email=sender@hotmail.com%0aTo:%20recipient@gmail.com&message=Exploited

That inserts a To: header, adding another recipient to the email.

I tried it and this is the response I got from the browser:
Warning: mail(): SMTP server response: 550 <address@someplace.com>, Recipient unknown in C:\Documents and Settings\TCassels\Desktop\web\sendmail1.php on line 6

Warning: Cannot modify header information - headers already sent by (output started at C:\Documents and Settings\TCassels\Desktop\web\sendmail1.php:6) in C:\Documents and Settings\TCassels\Desktop\web\sendmail1.php on line 7
I had to change the name of sendmail.php to sendmail1.php because I already have that filename used. Any other ideas on how I can secure this script?
  • 0

#18
brendandonhue

brendandonhue

    Member

  • Member
  • PipPipPip
  • 180 posts
Sounds like your host requires some kind of SMTP authentication. IMO the easiest way to secure it is to not put "From $email" into the headers. Or you could get fancy and use a regular expression to remove newlines and colons from $email before sending.

Edited by brendandonhue, 16 January 2006 - 09:16 PM.

  • 0

#19
amunra

amunra

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 112 posts
As far as I know my host does not require authenication. I host my website on my own computer using abyss webserver x1 with php support.
  • 0

#20
brendandonhue

brendandonhue

    Member

  • Member
  • PipPipPip
  • 180 posts
I see..might be some difference in configuration with your mail server then. I tried it on my host (netbunch.com) and the emails went through.
  • 0

#21
Magosis

Magosis

    Retired Staff

  • Retired Staff
  • 190 posts
at this point I belive it is a simple matter of port managment but i may be wrong I'm a developer not a sysadmin (well actualy I'm tech support :tazz: ) but I do web development on the side
  • 0

#22
ScHwErV

ScHwErV

    Member 5k

  • Retired Staff
  • 21,285 posts
  • MVP
Agreed, I tried your exploit on my web servers and it didnt work. It must be a flawed setup with your ISP.

That said, I will look at fixing the parts where the exploit may work and fix it in the tutorial (if that is ok with amunra) so that people without properly secured servers dont get in trouble with this tutorial.

ScHwErV :tazz:
  • 0

#23
amunra

amunra

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 112 posts
Shure go ahead, just pm me the changes so I know what I need to change to my other scripts(sometimes I am stupid and cant see the differences in posts :tazz: ).
  • 0

#24
brendandonhue

brendandonhue

    Member

  • Member
  • PipPipPip
  • 180 posts
There's more info on this kind of problem here: http://securephp.dam...Email_Injection
Seems like its not limited to certain insecure servers, I bet it can be exploited on most hosts.

Edited by brendandonhue, 18 January 2006 - 07:01 PM.

  • 0

#25
wit_vivek

wit_vivek

    New Member

  • Member
  • Pip
  • 1 posts
nice description thanks take a look at this source too

http://bit.ly/gBqKsj
  • 0

Advertisements







Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP