Main Menu
Most Popular Articles
Browse Knowledgebase
Billing/Helpdesk Login

Knowledgebase Query
Ask a question using natural language. Try to include as much information as possible:


Contact Us
Billing/Helpdesk Login
support@interadvantage.com
210-659-2532 (M-F, 10-5 CST)

Knowledgebase
Writing Secure FormMail Scripts
Top : Scripts

Article ID: 000038
Rating: 5.0 / 5.0 (1 votes)
Views: 8279

Problem
How can I make sure my formmail script is secure?

Solution

The Problem

Nearly all custom formmail scripts people write for their Web sites are insecure. This fact is well-known by spammers, who regularly scan the Internet looking for formmail scripts to abuse.

A simple solution is to use a pre-written formmail script which is known to be secure. If this does not meet your needs, then you need to understand how spammers abuse formmail scripts and program defensively.

An Insecure FormMail Example

Since most of the insecure formmail scripts we see are written in PHP, we'll use this language for examples. But the same principles apply to any Web programming language. 
mail($_POST['to'], $_POST['subject'], $_POST['message'], 'From: ' . $_POST['from'] . "\r\n");
The problem with this code is that it uses data submitted by a form without first checking its values. A spammer will typically submit to your formmail script from their own server, bypassing any length restrictions or data checking you impose via JavaScript in your HTML form. Because e-mail messages are just plain text, it is possible to include an entire e-mail message (headers and content) in a single form variable. If this form variable is used in the header portion of an e-mail (to/name/cc/bcc/from/reply-to/subject), then our mail server will see it as a well-formed e-mail message, and will send it out. Normally it will contain a long bcc list, and all of those addresses will receive the spam message.

The Solution

To make your script secure, you simply have to check any submitted data which will be used in the header portion of the e-mail for validity. Each data item should be of reasonable length, and should not contain any carriage returns (which are necessary to terminate header lines in an e-mail), commas (which separate e-mail addresses in a list), or the keywords "to:", "cc:" or "bcc:" (case-insensitive). Below is a more secure version of the above example: 
$to      = $_POST['to'];
$from    = $_POST['from'];
$subject = $_POST['subject'];
$message = $_POST['message'];

$addresses = $to . $from;
$headers   = $addresses . $subject;

if (  strlen ($headers) < 150  &&  // Reasonable length
    ! strpos ($headers, "\r")  &&  // No carriage returns or line feeds in header data
    ! strpos ($headers, "\n")  &&
    ! strpos ($addresses, ',') &&  // No address list
    ! stripos($headers, 'to:') &&  // No to/cc/bcc headers
    ! stripos($headers, 'cc:'))
  mail($to, $subject, $message, 'From: ' . $from . "\r\n");
Here are some additional notes:
  • If you include a name or any other data in the email headers, you need to carefully check that data too.
  • Whenever possible, you should hard code the subject, return address, message etc. so that there is no possibility of exploiting these parts of the e-mail message.

Rating
Did you find this article helpful?

Related Articles
Script Security Considerations - Please Read!
Using WebMail to Access Your E-mail Account

Home | Virtual Hosting | Reseller Hosting | Domain Names | Support | Our Company | Contact Us | Legal Notices
Copyright © 2003-2005 interAdvantage. All rights reserved.