Comments on: Securing PHP Contact Forms http://f6design.com/journal/2006/12/09/securing-php-contact-forms/ Adventures in web and graphic design Tue, 31 Aug 2010 07:09:33 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: Jonathan http://f6design.com/journal/2006/12/09/securing-php-contact-forms/comment-page-1/#comment-38124 Jonathan Tue, 01 Jan 2008 21:44:23 +0000 http://f6design.com/journal/2006/12/09/securing-php-contact-forms/#comment-38124 Regge - That's a good question. No, definitely only use 'light' checking on the message field. Even that isn't necessary, since the message never appears in the email header, which is the only vulnerable part of an email. The only reason I included 'light' checking in FormBuilder is because spambots often try any inject into every field of a form, which means the recipient still gets their probe emails, which is annoying. If you find header injection probes are an issue for you, then the 'light' check might be useful to nip them in the bud. Regge – That’s a good question. No, definitely only use ‘light’ checking on the message field. Even that isn’t necessary, since the message never appears in the email header, which is the only vulnerable part of an email. The only reason I included ‘light’ checking in FormBuilder is because spambots often try any inject into every field of a form, which means the recipient still gets their probe emails, which is annoying. If you find header injection probes are an issue for you, then the ‘light’ check might be useful to nip them in the bud.

]]> By: Regge http://f6design.com/journal/2006/12/09/securing-php-contact-forms/comment-page-1/#comment-38095 Regge Tue, 01 Jan 2008 18:57:26 +0000 http://f6design.com/journal/2006/12/09/securing-php-contact-forms/#comment-38095 Jonathan, thank you for your very interesting article and also for your Formbuilder script, which is so cool. One question, do you advise to use "full" headerinjectioncheck for the message part of a contact form? Don't users often add breaks to there message? I know I do. I see that the "light" headerinjectioncheck works line returns, how different is it? how less secure? Thanks again for all your work and efforts to share your knowledge. As a beginner programmer, I really appreciate it. Regge Jonathan, thank you for your very interesting article and also for your Formbuilder script, which is so cool.
One question, do you advise to use “full” headerinjectioncheck for the message part of a contact form? Don’t users often add breaks to there message? I know I do. I see that the “light” headerinjectioncheck works line returns, how different is it? how less secure?
Thanks again for all your work and efforts to share your knowledge. As a beginner programmer, I really appreciate it.
Regge

]]> By: inspirationbit http://f6design.com/journal/2006/12/09/securing-php-contact-forms/comment-page-1/#comment-923 inspirationbit Sat, 24 Feb 2007 05:54:32 +0000 http://f6design.com/journal/2006/12/09/securing-php-contact-forms/#comment-923 Jonathan, thanks for the link to another Plugin for Contact page. I think I like this one better, so will be changing mine. Yes, it's great that the plugin writers too are aware of these exploits and write such a solid and professional code. Jonathan, thanks for the link to another Plugin for Contact page. I think I like this one better, so will be changing mine.
Yes, it’s great that the plugin writers too are aware of these exploits and write such a solid and professional code.

]]> By: Jonathan http://f6design.com/journal/2006/12/09/securing-php-contact-forms/comment-page-1/#comment-922 Jonathan Sat, 24 Feb 2007 05:46:15 +0000 http://f6design.com/journal/2006/12/09/securing-php-contact-forms/#comment-922 @inspirationbit: On this site I've been using Dagon Design's <a href="http://www.dagondesign.com/articles/secure-form-mailer-plugin-for-wordpress/">"Secure Form Mailer Plugin"</a> for Wordpress, which has inbuilt header injection protection, and I've found it to be very solid. I think it's great that most developer's are now aware of this exploit and are writing scripts that patch against it. @inspirationbit: On this site I’ve been using Dagon Design’s “Secure Form Mailer Plugin” for Wordpress, which has inbuilt header injection protection, and I’ve found it to be very solid. I think it’s great that most developer’s are now aware of this exploit and are writing scripts that patch against it.

]]> By: inspirationbit http://f6design.com/journal/2006/12/09/securing-php-contact-forms/comment-page-1/#comment-918 inspirationbit Sat, 24 Feb 2007 02:00:41 +0000 http://f6design.com/journal/2006/12/09/securing-php-contact-forms/#comment-918 This is a very good post and warning. Good news for those of you who uses Contact Form plugin for Wordpress: it includes a function that checks for a malicious input. function wpcf_is_malicious($input) {...} The concept is very similar to Jonathan's, but it checks the input slightly differently: $bad_inputs = array("\r", "\n", "mime-version", "content-type", "cc:", "to:"); I think if we add Jonathan's values to it as well, it will be a rock solid protection from a header injection. This is a very good post and warning. Good news for those of you who uses Contact Form plugin for Wordpress: it includes a function that checks for a malicious input.
function wpcf_is_malicious($input) {…}

The concept is very similar to Jonathan’s, but it checks the input slightly differently:
$bad_inputs = array(“\r”, “\n”, “mime-version”, “content-type”, “cc:”, “to:”);

I think if we add Jonathan’s values to it as well, it will be a rock solid protection from a header injection.

]]> By: cctech http://f6design.com/journal/2006/12/09/securing-php-contact-forms/comment-page-1/#comment-390 cctech Mon, 25 Dec 2006 14:39:37 +0000 http://f6design.com/journal/2006/12/09/securing-php-contact-forms/#comment-390 Really great post Jonathan. We have run into this very thing a few times and have been doing research on a fix :|. Awesome job! :) Really great post Jonathan. We have run into this very thing a few times and have been doing research on a fix :| . Awesome job! :)

]]> By: Clive Walker http://f6design.com/journal/2006/12/09/securing-php-contact-forms/comment-page-1/#comment-186 Clive Walker Tue, 12 Dec 2006 15:14:09 +0000 http://f6design.com/journal/2006/12/09/securing-php-contact-forms/#comment-186 Thank for the email re escaping characters. FYI, I tried to reply to your email but I received an undelivered message email back [relay access denied] Not sure if this is a problem with your server but thought you'd want to know. Thank for the email re escaping characters. FYI, I tried to reply to your email but I received an undelivered message email back [relay access denied] Not sure if this is a problem with your server but thought you’d want to know.

]]> By: Clive Walker http://f6design.com/journal/2006/12/09/securing-php-contact-forms/comment-page-1/#comment-180 Clive Walker Mon, 11 Dec 2006 22:54:16 +0000 http://f6design.com/journal/2006/12/09/securing-php-contact-forms/#comment-180 Very timely for me because of a client having the problem you describe. Your function looks like a good solution. Very timely for me because of a client having the problem you describe. Your function looks like a good solution.

]]> By: Emil Stenström http://f6design.com/journal/2006/12/09/securing-php-contact-forms/comment-page-1/#comment-179 Emil Stenström Mon, 11 Dec 2006 20:48:39 +0000 http://f6design.com/journal/2006/12/09/securing-php-contact-forms/#comment-179 Thanks again, I had no idea of this one (sadly). Together with SQL injections these two probably are the biggest security hole on the net today. Thanks again, I had no idea of this one (sadly). Together with SQL injections these two probably are the biggest security hole on the net today.

]]>