current community

your communities

more stack exchange communities

Stack Exchange
tour help
Take the 2-minute tour ×
Code Review Stack Exchange is a question and answer site for peer programmer code reviews. It's 100% free, no registration required.
up vote 10 down vote favorite
3

I'm nowhere near a PHP expert, but I have dabbled a bit. I can make things work just fine, but I am terrible at figuring out what is wrong. I was informed by our server admin that we have a mail script that is being abused, and I am unsure of how to remedy the issue.

I am looking for help to see how someone is using this form to send out spam mail. The issue is that we got a bounce-back email sent from an address that doesn't exist to a hotmail address using this form. As far as I know, this form ONLY sends email to the $recipient which is neither this non-existent email or this Hotmail. I am trying to figure out a way to secure this form so that individuals cannot abuse this form and send mail to others through it.

<?php
$name = check_input($_POST['name'],"Enter your name.");
$email = check_input($_POST['email'],"Email address is required.");
$company = check_input($_POST['company']);
$phone = check_input($_POST['phone']);
$message = check_input($_POST['message'],"Please don't send us a blank message! Let us know what you're thinking.");

if (!preg_match("/([\w\-]+\@[\w\-]+.[\w\-]+)/",$email))
{
    show_error("E-mail address is not valid.");
}

$messageBody ="Hello!

Your contact form has been submitted by:

Name: $name
E-mail: $email
Company: $company
Phone: $phone

Message:
$message

End of message
";

$recipient = "[email protected]"; // removed real email for SE
$subject = "[Contact Form - Site Name]"; // removed site name for SE

$mailheaders = "From: [email protected]\n"; // removed real email for SE
$mailheaders .= "Reply-To:". $_POST['email']."\n\n";

mail($recipient, $subject, $messageBody, $mailheaders);

header('Location: http://www.example.com/contact/thankyou.html'); //removed real address for SE
exit();

function check_input($data, $problem='')
{
    $data = trim($data);
    $data = stripslashes($data);
    $data = htmlspecialchars($data);
    if ($problem && strlen($data) == 0)
    {
        show_error($problem);
    }
    return $data;
}

function show_error($mailError)
{
?>
// error message in here, removed for SE as unrelated to problem
<?php
exit();
}
?>

This is the message my server admin sent me:

-----Original Message-----
From: [email protected]
[mailto:[email protected]]
Sent: Monday, August 04, 2014 2:47 PM
To: [email protected]
Subject: failure notice

Hi. This is the qmail-send program at ss2.site-hosts.com.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<[email protected]>:
65.55.37.104 does not like recipient.
Remote host said: 550 Requested action not taken: mailbox unavailable Giving up on 65.55.37.104.

--- Below this line is a copy of the message.

Return-Path: <[email protected]>
Received: (qmail 6348 invoked by uid 2523); 4 Aug 2014 14:47:01 -0500
X-Qmail-Scanner-Diagnostics: from
199.192.201.219.rdns.continuumdatacenters.com by ss2.site-hosts.com (envelope-from <[email protected]>, uid 2020) with qmail-scanner-2.10st
 (clamdscan: 0.98.4/19261. mhr: 1.0. spamassassin: 3.3.2. perlscan:
2.10st.  
 Clear:RC:1(199.192.201.219):. 
 Processed in 0.024127 secs); 04 Aug 2014 19:47:01 -0000
Received: from 199.192.201.219.rdns.continuumdatacenters.com (HELO
ssasi.site-hosts.com) (199.192.201.219)
  by ss2.site-hosts.com with ESMTPA; 4 Aug 2014 14:47:01 -0500
Received: (qmail 15903 invoked by uid 10024); 4 Aug 2014 14:47:00 -0500
X-Qmail-Scanner-Diagnostics: from  by ssasi.site-hosts.com (envelope-from <[email protected]>, uid 48) with qmail-scanner-2.10st
 (clamdscan: 0.98.4/19261. mhr: 1.0. spamassassin: 3.3.2. perlscan:
2.10st.  
 Clear:RC:1(127.0.0.1):. 
 Processed in 0.013521 secs); 04 Aug 2014 19:47:00 -0000
Date: 4 Aug 2014 14:47:00 -0500
Message-ID: <[email protected]>
From: [email protected]
To: [email protected]
Subject: 
X-PHP-Originating-Script: 10021:vnbMail.php
share|improve this question
8  
Welcome to Code Review, and thanks for your patience. Community members have decided that it's a fine question. –  200_success 21 hours ago

4 Answers 4

up vote 15 down vote accepted

I'm not a php expert, but from reading up on the documentation it appears that it may be possible to insert additional from/to addresses using the "Additional Headers" field on the mail() function.

Since you're using a regular string concatenation to insert your POST variable into your additional headers field, that is very well possibly the vector for attack. The example in the php mail() documentation demonstrates this.

<?php
$to      = '[email protected]';
$subject = 'the subject';
$message = 'hello';
$headers = 'From: [email protected]' . "\r\n" .
    'Reply-To: [email protected]' . "\r\n" .
    'X-Mailer: PHP/' . phpversion();

mail($to, $subject, $message, $headers);
?>
share|improve this answer
up vote 15 down vote

Your script is vulnerable to a header-splitting attack. Due to the poor design of PHP's mail() function, it is actually quite easy to introduce that kind of security hole.

In summary, if…

  • any part of the mail headers consists of user-supplied input,
  • and you didn't make any effort to prohibit newlines or escape that input,

then you will have a program that can send mail to any recipient of the attacker's choice.

share|improve this answer
up vote 4 down vote 
$mailheaders .= "Reply-To:". $_POST['email']."\n\n";

That's it, right there. Unsanitized user content straight into the mail header.

Add the following, early on:

# only one address allowed
if( 1 != preg_match_all("/@/", $_POST['email'], $unused) ) die();
# and no funny characters either
if( preg_match("/[^a-z0-9@._-]/", strtolower($_POST['email']) ) die();
share|improve this answer
2  
According to RFC822, the following characters are all also legal in e-mail addresses, even without quoting: !#$%&'*+/=?^`{|}~ –  200_success 15 hours ago
    
And when was the last time you saw a legit email containing any of those characters? –  paul 12 hours ago
8  
I regularly use + in e-mail addresses, as in the suggested usage in GMail. You shouldn't violate standards just because you like to. –  200_success 12 hours ago
    
# are probably used by Twitter posting E-mails??? I don't use twitter so I don't know. –  Malachi 2 hours ago
up vote 2 down vote

Never, EVER directly use a $_GET or $_POST variable without checking its content first. Instead of:

$mailheaders .= "Reply-To:". $_POST['email']."\n\n";

You should write a function like:

function secure_input($s){
  return sanitized_user_input_that_is_exactly_what_you_expect_and_nothing_else;
}

and then do

$mailheaders .= "Reply-To:". secure_input($_POST['email'])."\n\n";

on all $_GET and $_POST. Even cookies you might want to check, since they also come from user.

share|improve this answer
    
Using the built-in function filter_input() is a great idea too. $email = filter_input(INPUT_POST, 'email', FILTER_VALIDATE_EMAIL); –  Sonny 1 hour ago
    
"since they also come from user." And they can be trivially modified. =) –  Kenneth Posey 21 mins ago

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.