WilHatfield
Admin
Admin
| Posts: 17 |  |
Karma: 0
|
Secure PHP Mailer - 2005/11/29 00:53
We have noticed some exploitation recently of peoples' email scripts. Email Injection is on the rise with script using the PHP mail() function improperly. Therefore to assist you in securing your scripts I have put together this small script/tutorial. Hope it helps shed a little light on how spammers are able to exploit and how to keep them from it.
The following is the code for my simple but effective script. The full pdf script and the HTML input file are attached.
[size=9:cde44dddf5]
// Check each of the parameters passed in via POST for
// someone trying to modify the headers.
foreach ($_POST as $j =>$value) {
if (stristr($value,"Content-Type")) {
header("HTTP/1.0 403 Forbidden");
echo "YOU HAVE BEEN BANNED FOR BEING A SPAMMER!";
exit;
}
}
// Check each of the parameters passed in via GET for
// someone trying to modify the headers. Only needed for
// the rare occasion that GET is being used. It shouldn't be!
foreach ($_GET as $j =>$value) {
if (stristr($value,"Content-Type")) {
header("HTTP/1.0 403 Forbidden");
echo "YOU HAVE BEEN BANNED FOR BEING A SPAMMER!";
exit;
}
}
// Set the MIME version and content type for the email. The last
// part rnrn is the most important because it tells the PHP
// mail function that the headers have ended and it will not allow
// any further headers to be defined or exploited.
$headers = "MIME-Version: 1.0rn";
$headers .= "Content-type: text/html; charset=iso-8859-1rnrn";
// Check to make sure nobody is trying to force info into the email
// address field. There is no reason for the r or n escape characters
// to be present here. If they are someone is attempting an exploit.
$fromemail=$_POST['email'];
if (eregi("r",$fromemail) || eregi("n",$fromemail)){
die("YOU HAVE BEEN BANNED FOR BEING A SPAMMER!");
}
// Hard code your email address. That keeps them from having the field
// to try to exploit. Besides that it hides your email from harvestors.
$recipient = "user@hosteddomain.com"; //Your email address hardcoded
// Accept the following fields from the POST. Subject could be defined
// here if you wanted it to be.
$fromemail = "$_POST[email]";
$message = "$_POST[message]";
$subject = "$_POST[subject]";
$redirect = "$_POST[redirect]";
// Now lets send some mail now
if (mail($recipient,$subject,$message,"From: $fromn$headers")){
// Mail sent successfully!
if ($redirect) {
header("Location: $redirect");
} else {
echo "Mail sent successfully.";
}
} else{
// Mail failed successfully!
echo "Ooops! Mail send failed!";
}[/size:cde44dddf5]
|
