...

View Full Version : How to prevent attacks - Verification procedure in email forms



mypointofview
09-11-2005, 07:21 AM
Hi all, I'd like to continue the discussion about a very interesting snippet of php code, posted by MCDOUGALS4ALL here. (http://www.codingforums.com/showthread.php?t=67546#post352810)

His code prevents malicious email injection :cool:

I'm currently using an email form that verifies the correct email address however with a Java Script. So, nomatter what "bad stuff" I'd enter into the email field (like "BCC"), the JavaScript pops up a window, requesting to write a "correct" email address.

The only way to really see the php based email injection filter working in action was for me to disable my JavaScript.

So -- now I'm wondering -- wasn't my JavaScript verification procedure good enough? I mean, can it be hacked perhaps? (since it can be seen in the source of my html) :rolleyes:


<script language="JavaScript" type="text/javascript">

function check(form){

if (form.visitorName.value == "") {
alert("Please enter your name.");
form.visitorName.focus();
return false;
}
else if (form.visitorPhone.value == "") {
alert("Please enter your phone number.");
form.visitorPhone.focus();
return false;
}
else if (form.visitorEmail.value == "") {
alert("Please enter your email.");
form.visitorEmail.focus();
return false;
}
else if(!(/^\w+([\.-]?\w+)*@\w+([\.-]?\w+)*(\.\w{2,3})+$/.test(form.visitorEmail.value))){
alert("Please enter a valid email address.");
form.visitorEmail.focus();
return false;
}
else if (form.comments.value == "") {
alert("Please enter a comment/question.");
form.comments.focus();
return false;
}
else{
return true;
}
}

</script>

<form method="post" onSubmit="return check(this);">

[...]

</form>


Martin

missing-score
09-11-2005, 10:57 AM
Not so much that it didnt do the job, but the fact is, JavaScript can be disabled, and if that happened you have no authentication. I make it a rule to use JS for "friendly" notifications (if at all), but all the serious checking should be done server side.

cyphix
09-12-2005, 11:08 PM
Well I tried modifying that funtion so it would also not allow spaces in betwen the headers such as.. "content - type, content- type, content - type" etc..... but it always seems to return as an error; i'm still a relative n00b to reg expressions so maybe I screwed up somewhere..



function email_injection_filter($formInput)
{
$injectionStrings = array("apparently-to",
"bcc",
"boundary=",
"charset",
"content-disposition",
"content-type",
"content-transfer-encoding",
"errors-to",
"in-reply-to",
"message-id",
"mime-version",
"multipart/mixed",
"multipart/alternative",
"multipart/related",
"reply-to",
"x-mailer",
"x-sender",
"x-uidl"
);
foreach ($injectionStrings as $spam)
{
$pos = strpos(strtolower($formInput), $spam);
if ($pos !== false)
{
error_log(...);
exit("<html><title>Fatal Error</title><body><p>We're sorry, your message could not be processed due to a fatal error.</p></body></html>");
}
}
// New Section starts here
foreach ($injectionStrings as $spam) {
if (strpos($spam, '-') !== false) {
$parts = explode('-', $spam);
$pcount = count($parts);
$acheck = $pcount -1;
$i = 0;
foreach ($parts as $part) {
if ($i == 0) {
$string .= '/' . $part . ' *\- *';
} elseif ($i == $acheck) {
$string .= $part . '/';
} else {
$string .= $part . ' *\- *';
}
$i++;
}
if (preg_match($string, strtolower($formInput)) !== false) {
error_log(...);
exit("<html><title>Fatal Error</title><body><p>We're sorry, your message could not be processed due to a fatal error.</p></body></html>");
}
} elseif (strpos($spam, '/') !== false) {
$parts = explode('/', $spam);
$pcount = count($parts);
$acheck = $pcount -1;
$i = 0;
foreach ($parts as $part) {
if ($i == 0) {
$string .= '/' . $part . ' *\/ *';
} elseif ($i == $acheck) {
$string .= $part . '/';
} else {
$string .= $part . ' *\/ *';
}
$i++;
}
if (preg_match($string, strtolower($formInput)) !== false) {
error_log(...);
exit("<html><title>Fatal Error</title><body><p>We're sorry, your message could not be processed due to a fatal error.</p></body></html>");
}

}
}
}

CrzySdrs
09-12-2005, 11:12 PM
This is the function I threw together from RegExLib for some server side checking on emails. Haven't had a problem with it yet.



function is_email($email)
{
if (preg_match("#^(([A-Za-z0-9]+_+)|([A-Za-z0-9]+\-+)|([A-Za-z0-9]+\.+)|([A-Za-z0-9]+\++))*[A-Za-z0-9]+@((\w+\-+)|(\w+\.))*\w{1,63}\.[a-zA-Z]{2,6}$#", $email)) {
return true;
}
else
{
return false;
}


}


EDIT: I guess I totally misread this thread, I thought you were trying to stop people from thowing in extra headers in the email. Although with a bit of work you could make a Regex function that quickly parses a message for flagged items. Plus you should still use this function for server side checking of email addresses in case people bypass your javascript checking.

CrzySdrs
09-12-2005, 11:57 PM
I figure this solution is a little more elegant to checking for injections.



function CheckInjection($text)
{
if (preg_match('#(apparently\s*-\s*to)|(bcc)|(boundary)|(charset)|(content\s*-\s*disposition)|(content\s*-\s*type)|(content\s*-\s*transfer\s*-\s*encoding)|(errors\s*-\s*to)|(in\s*-\s*reply\s*-\s*to)|(message\s*-\s*id)|(mime\s*-\s*version)|(multipart\s*/\s*mixed)|(multipart\s*/\s*alternative)|(multipart\s*/\s*related)|(reply\s*-\s*to)|(x\s*-\s*mailer)|(x\s*-\s*sender)|(x\s*-\s*uidl)#is',$text))
{
return true;
}
else
{
return false;
}
}


May want to try and play around with it before putting it into production though, since I just threw it together now, I know my way around regex's pretty well. This will check for whitespaces around the "-"'s and "/"'s like your function. I admit I don't know much about the syntax of email headers, so if there is something I am missing, I could probably modify it.

mindlessLemming
09-25-2005, 09:24 AM
A couple of the small sites I maintain have suffered email injection attacks recently, so I've thrown together an all in one solution with the aim of making it as painless as possible for the developer and still informative to the user [ie: no die() calls ].

Suggestions for optimization are very welcome as this is something I've just thrown together on a sunday afternoon with a little bit of help in the way of the above regexps :)

Simple Safe Contact form demo (http://leftjustified.net/lab/simple-safe-php-email/)


Source (http://leftjustified.net/lab/simple-safe-php-email/email.phps)



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum