http://securephp.damonkohler.com/index. ... _Injection
http://securephp.damonkohler.com/index. ... _Injection
Here is an old document which talks about the general problem, although I think this needs to be updated to accept all UTF-8 characters.
http://www.cert.org/tech_tips/cgi_metacharacters.html
The guys over at owasp have a php filter which doesn't quite do the job I think it should but it's a good idea/beginning.
http://www.owasp.org/software/labs/phpfilters.html
Which is basically unchanged from:
http://pages.pgsit.org/2003/gzuchlinski ... nc.php.txt
I have patched my plugins/function.contact_form.php with this patch:
Code: Select all
--- plugins/function.contact_form.php 2005-11-04 14:51:13.000000000 -0700
+++ plugins/function.contact_form.php 2005-12-07 14:58:57.000000000 -0700
@@ -37,6 +37,10 @@
if (!empty($_POST['message'])) $message = trim($_POST['message']);
if($_SERVER['REQUEST_METHOD']=='POST'){
+ $name = sanitize ($name);
+ $email = sanitize ($email);
+ $subject = sanitize ($subject);
+
$extra = "From: $name <$email>\r\nReply-To: $email\r\n";
echo '<div class="contactMessage"';
echo ($style)?' style="font-weight: bold; color: red;"':'';
@@ -111,4 +115,8 @@
return true;
}
+function sanitize($content) {
+ return str_replace(array("\r", "\n"), "", $content);
+}
+
?>
