Secure formmail?

software development

#1

Hi,
I’ve been using PHPMailer for several years with no problem. All the sudden, this one site is a target for spammers. I just went through and added more code for security, and it looks like they are still getting past it. I’m not sure how.

Here’s the code I’m using for validation.

function secured($val) {
$val = strip_tags(trim($val));
$val = escapeshellcmd($val);
return stripslashes($val);
}

function is_valid_email($email) {
return preg_match(’#^[a-z0-9.!#$%&’*±/=?^_`{|}~]+@([0-9.]+|([^\s]+.+[a-z]{2,6}))$#si’, $email);
}

function contains_bad_str($str_to_test) {
$bad_strings = array(
“content-type:”
,“mime-version:”
,“multipart/mixed”
,“Content-Transfer-Encoding:”
,“bcc:”
,“cc:”
,“to:”
);

foreach($bad_strings as $bad_string) {
if(eregi($bad_string, strtolower($str_to_test))) {
return $err = “<font color=“red”>$bad_string found. Suspected injection attempt - mail not being sent.
”;
}
}
}

function contains_newlines($str_to_test) {
$matched_string = preg_replace("/(||\n+|\r+)/i","", $str_to_test);
return $matched_string;
}

I’m not sure what else to do to make this bulletproof (or at least as much as I can, anyway).

Suggestions?

================================
Angela Gann
CrimsonDryad Web Design Services
Web Design, Custom Software Development
http://www.crimsondryad.com


#2

I’m not sure what you need help with. I understand you are saying the site is a target for spammers, but what do you mean by “getting around it”

Do you mean they are able to exploit a vulnerability and have messages sent to addresses you’ve never heard of before, or do something else you didn’t intend it to do?

Or do you mean you are just getting messages that are spam?

There is a difference!

So far you have only posted code which mainly attempts to check strings in such a way to avoid being vulnerable to a security exploit.

And since you are not posting all your code or examples of the messages you are getting we’re pretty much in the dark as to how to help you.

:cool: [color=#6600CC]Atropos[/color] | openvein.org


#3

I’ve looked at the code for PHPMailer. It does not make any attempt to validate information passed to it.

I would try validating the information in functions, for example:

[code]$name = ‘Atropos’;
$address = ‘atropos@localhost’;
$subject = “This is a test\nof an exploit”;

function ValidateSubject ($subject) {
// checks subject for control characters (ASCII 0 through 31)
// returns TRUE if none found, otherwise false

// Check for string length
if (strlen($subject) > 256) {
return FALSE;
}

// Check for control characters.
if (preg_match(’/[\x00-\x1f]/’, $subject) > 0) {
return FALSE;
}

return TRUE;
}

if (ValidateAddress($address, $name) and ValidateSubject($subject)) {
// code to use PHPMailer goes here
$mail->Subject = $subject;
$mail->From = $address;
$mail->FromName = $name;
print ‘

E-mail message has been sent.

’;
}
else {
print ‘

E-mail message has not been sent.

’;
print ‘

There were validation errors.

’;
}[/code]I wrote my ValidateAddress function based on code from Email Address Validation but mine also checks the name to make sure it doesn’t contain quote characters in addition to control characters in both strings.

:cool: [color=#6600CC]Atropos[/color] | openvein.org