CMS Made Simple Forums

Content management as it is meant to be
https://forum.cmsmadesimple.org/

SECURITY plugins/function.contact_form.php

https://forum.cmsmadesimple.org/viewtopic.php?t=2385

Page 1 of 1

SECURITY plugins/function.contact_form.php

Posted: Wed Dec 07, 2005 10:19 pm
by Michael Best
The contact_form uses unvalidated user input in constructing it's email message.  This of course allows for a well known email header injection attack to sent email with modified headers/recipients.
http://securephp.damonkohler.com/index. ... _Injection
http://securephp.damonkohler.com/index. ... _Injection

Here is an old document which talks about the general problem, although I think this needs to be updated to accept all UTF-8 characters.
http://www.cert.org/tech_tips/cgi_metacharacters.html

The guys over at owasp have a php filter which doesn't quite do the job I think it should but it's a good idea/beginning.
http://www.owasp.org/software/labs/phpfilters.html
Which is basically unchanged from:
http://pages.pgsit.org/2003/gzuchlinski ... nc.php.txt

I have patched my plugins/function.contact_form.php with this patch:

Code: Select all

--- plugins/function.contact_form.php   2005-11-04 14:51:13.000000000 -0700
+++ plugins/function.contact_form.php   2005-12-07 14:58:57.000000000 -0700
@@ -37,6 +37,10 @@
        if (!empty($_POST['message'])) $message = trim($_POST['message']);
        
        if($_SERVER['REQUEST_METHOD']=='POST'){
+                $name = sanitize ($name);
+                $email = sanitize ($email);
+                $subject = sanitize ($subject);
+
                $extra = "From: $name <$email>\r\nReply-To: $email\r\n";
                echo '<div class="contactMessage"';
                echo ($style)?' style="font-weight: bold; color: red;"':'';
@@ -111,4 +115,8 @@
        return true;
 }
 
+function sanitize($content) {
+         return str_replace(array("\r", "\n"), "", $content);
+}
+
 ?>

Re: SECURITY plugins/function.contact_form.php

Posted: Wed Dec 07, 2005 11:06 pm
by Michael Best
This approach is not quite working, but it's a first attempt.  I'll get back to you with something that is working.

Re: SECURITY plugins/function.contact_form.php

Posted: Thu Dec 08, 2005 12:02 am
by Michael Best
I just double checked that this solution was working, as I wasn't getting any error emails like I expected, but I think that the message fails one of the other internal checks after it's been sanitized and so it ends up not being sent.

Re: SECURITY plugins/function.contact_form.php

Posted: Thu Dec 08, 2005 2:40 am
by Ted
Thanks for this.  I'll apply it now and get it into the next release.

Re: SECURITY plugins/function.contact_form.php

Posted: Thu Jan 19, 2006 5:33 pm
by roman
also on one my hosting, i must use not standart code for $extra, but:

Code: Select all

$extra = "From: $name www@mydomain.com\r\nReply-To: $email\r\n";
it's antispam feature
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited