views:

139

answers:

1

I have a form to singup yourself in a mailing list.

I had set up the script to send me a mail for every singup and confirmation.

The last days I saw a bunch of empty submisions (rejected). Turns out filter_input is that good :-)

But I want to see the input of the malicious users, so I'm encoding the input and sending it to me by mail

htmlentities($_POST['userName'], ENT_QUOTES, "UTF-8")
  • Is that secure?
  • Should I add mysql_real_escape_string() ?
  • It is possible to craft a post in such a way that will be able to do any harm while sending the mail to me?
  • I'm not writing rejected submisions to the database, only mailing them to me.

Here's the relevant code.

<?php
$userName = filter_input(INPUT_POST, 'userName', FILTER_SANITIZE_STRING);
$userEmail = filter_input(INPUT_POST, 'userEmail', FILTER_VALIDATE_EMAIL);
if(!checkdnsrr(array_pop(explode("@",$userEmail)),"A"))
    $hostInvalido = true;

if(!empty($userName) && $userName!==FALSE && !empty($userEmail) && $userEmail!==FALSE && !isset($hostInvalido) ) {
    //All ok
} else {
    echo "Datos invalidos, por favor, intenta nuevamente.";
    $fromaddress="[email protected]";
    $fromname="Error reporting";
    $to= "webmaster <[email protected]>";
    $subject="MailList: Error ";
    $userName = htmlentities($_POST['userName'], ENT_QUOTES, "UTF-8"); // is this secure?
    $userEmail = htmlentities($_POST['userEmail'], ENT_QUOTES, "UTF-8");
    $body = "Nombre: $userName<br>Email: $userEmail";
    $body .= (isset($hostInvalido)) ? "<br>Host invalido" : "";
    $ret = send_mail($to, $body, $subject, $fromaddress, $fromname, $attachments=false);
}


// i'm including this funtion so you can analyze it for any possible vulneratility 
function send_mail($to, $body, $subject, $fromaddress, $fromname, $attachments=false) {
  $eol="\r\n";
  $mime_boundary=md5(time());

  # Common Headers
  $headers = "";
  $headers .= "From: ".$fromname."<".$fromaddress.">".$eol;
  $headers .= "Reply-To: ".$fromname."<".$fromaddress.">".$eol;
  $headers .= "Return-Path: ".$fromname."<".$fromaddress.">".$eol;    // these two to set reply address
  $headers .= "Message-ID: <".time()."-".$fromaddress.">".$eol;
  $headers .= "X-Mailer: PHP v".phpversion().$eol;          // These two to help avoid spam-filters

  # Boundry for marking the split & Multitype Headers
  $headers .= 'MIME-Version: 1.0'.$eol;
  $headers .= "Content-Type: multipart/mixed; boundary=\"".$mime_boundary."\"".$eol.$eol;

  # Open the first part of the mail
  $msg = "--".$mime_boundary.$eol;

  $htmlalt_mime_boundary = $mime_boundary."_htmlalt"; //we must define a different MIME boundary for this section
  # Setup for text OR html -
  $msg .= "Content-Type: multipart/alternative; boundary=\"".$htmlalt_mime_boundary."\"".$eol.$eol;


  # Text Version
  $msg .= "--".$htmlalt_mime_boundary.$eol;
  $msg .= "Content-Type: text/plain; charset=UTF-8".$eol; //iso-8859-1
  $msg .= "Content-Transfer-Encoding: 8bit".$eol.$eol;
  $msg .= strip_tags(str_replace("<br>", "\n", $body)).$eol.$eol; //mb_substr($body, (strpos($body, "<body>")+6))

  # HTML Version
  $msg .= "--".$htmlalt_mime_boundary.$eol;

  $msg .= "Content-Type: text/html; charset=UTF-8".$eol;//iso-8859-1
  $msg .= "Content-Transfer-Encoding: 8bit".$eol.$eol;
  $msg .= $body.$eol.$eol;

  //close the html/plain text alternate portion
  $msg .= "--".$htmlalt_mime_boundary."--".$eol.$eol;

  if ($attachments !== false)
  {
    for($i=0; $i < count($attachments); $i++)
    {
      if (is_file($attachments[$i]["file"]))
      {
        # File for Attachment
        $file_name = mb_substr($attachments[$i]["file"], (strrpos($attachments[$i]["file"], "/")+1));

        $handle=fopen($attachments[$i]["file"], 'rb');
        $f_contents=fread($handle, filesize($attachments[$i]["file"]));
        $f_contents=chunk_split(base64_encode($f_contents));    //Encode The Data For Transition using base64_encode();
        $f_type=filetype($attachments[$i]["file"]);
        fclose($handle);

        # Attachment
        $msg .= "--".$mime_boundary.$eol;
        $msg .= "Content-Type: ".$attachments[$i]["content_type"]."; name=\"".$file_name."\"".$eol;  // sometimes i have to send MS Word, use 'msword' instead of 'pdf'
        $msg .= "Content-Transfer-Encoding: base64".$eol;
        $msg .= "Content-Description: ".$file_name.$eol;
        $msg .= "Content-Disposition: attachment; filename=\"".$file_name."\"".$eol.$eol; // !! This line needs TWO end of lines !! IMPORTANT !!
        $msg .= $f_contents.$eol.$eol;
      }
    }
  }

  # Finished
  $msg .= "--".$mime_boundary."--".$eol.$eol;  // finish with two eol's for better security. see Injection.

  # SEND THE EMAIL
  ini_set('sendmail_from',$fromaddress);  // the INI lines are to force the From Address to be used !
  $mail_sent = mail($to, $subject, $msg, $headers);

  ini_restore('sendmail_from');

  return $mail_sent;
}
?>
+2  A: 

XSS injections is mainly javascript, so using htmlentities() is sufficient :)

If you are still worried, drop the message into a < textarea>< /textarea> and then mail it.

Thomas Winsnes
I agree, and maybe in a pure-text attachment is more safe.
XUE Can
ok, I guess I was over thinking it...
The Disintegrator
overthinking is misunderstanding
Longpoke