| Re: My contact form is not emailed to me [message #173631 is a reply to message #173629] |
Thu, 21 April 2011 10:29   |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma:
|
Senior Member |
|
|
On 4/21/2011 4:04 AM, P E Schoen wrote:
> "Jerry Stuckle" wrote in message news:ioo965$qfj$1(at)dont-email(dot)me...
>
>> Subject does not require an "authorized name". It an easily be
>> used for injection.
>
> Here is how I perform the authentication of the name and email, and the
> password:
>
> if ( !array_key_exists( strtolower( $in['Full_Name'] ), $Passcodes ) )
> { HTMLdie("Incorrect Full Name " . htmlspecialchars($in['Full_Name']),
> "Authentication failed\n"); }
> if ( !($Passcodes[ strtolower( $in['Full_Name'] ) ] ==
> (strtolower($in['Email']) ) ) )
> { HTMLdie("Incorrect Email " . $in['Email'], "Authentication failed\n");}
> if ( !($in['Reference'] == "My Secret Password") ){
> HTMLdie("Incorrect Entry", "Authentication failed\n"); }
>
>> Hackers often look for sites like yours they can use to spread their
>> spam - because they are typically the least secure due to attitudes
>> like yours.
>
> What attitude? I'm just asking specifically how my site is not (at least
> reasonably) secure.
>
>> As I said - your subject line is still open to hacking.
>
> I understand that may be the case if the user is permitted to enter
> anything for the subject line. But that is not the case. My subject line
> is formed as follows:
>
> $subject = "Form data from {$in['Full_Name']}";
>
So you're saying your subject can only be one of a few names from a
list? What if I want to send an email with the subject "Party for Jean
on Friday"? So they can't easily find the email in their list of saved
emails?
It would mean your subject line can't be hacked - but how
user-unfriendly can you get?
> I really don't see how anything malicious can be added to that. The
> $in['Full_Name'] variable has been authenticated, and it cannot be
> anything other than the hard coded keys of the $Passcodes array. I'm
> trying to understand this, and if you could explain how this can be
> hacked it will be very helpful to me and possibly others. Otherwise I
> think you are just making some general assumptions or trying to scare me
> and other beginners away from writing PHP scripts, and possibly paying
> for your services or those of other professionals.
>
>> Others have tried to point you in the right direction, but you seem
>> to be uninterested in learning the necessary skills to create a
>> secure website.
>
> I am trying to learn those techniques, but without an explanation for
> how my script can be hacked, I don't know how to proceed.
>
I and others have tried to steer you the right direction, but rather
than try to learn and understand, you just argue and make excuses ("it's
a small site", "only a few people will use it", etc.).
>> And it really isn't that hard for hackers to guess userids and
>> passwords - even easier if they can intercept your non-secure
>> logins.
>
> That may be, but in that case the hacker would only be able to send
> emails to me with garbage or malicious content in the body, and that
> will have been "purified" to acceptable HTML, so I doubt that it will
> contain anything truly dangerous. However, I suppose I should enforce a
> limit to the size of the content.
>
> Paul
Whatever.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]