Securing an Email script

I've changed our web site to use a simple PHP script to send a demo request
to our sales office. We use Postfix and everything is set up properly and
works fine. I've been informed there are some security issues to review.

The script looks like:





/* Pre-defined script variables. */
/* $eol = "\r\n"; */
$eol = "\n";
$mailto = 'sales@mydomain.com';
$mailfrom = 'webserver@mydomain.com';
$subject = 'Company Demo Request';

/* Initialize a clean array to replace $_POST with clean data */
$name = $_POST['name'];
$title = $_POST['name'];
$company = $_POST['name'];
$email = $_POST['name'];
$phone = $_POST['name'];
$message = $_POST['name'];

/* Build HTML $salesmessage variable to pass to mail script */
$salesmessage = "" . $eol;
$salesmessage .= "The following information comes from the company web
site
".$eol;
$salesmessage .= "demonstration link.

".$eol;
$salesmessage .= "

Re: Securing an Email script

"Bill H" wrote in message
news:VradnVdP25-dFL7anZ2dnUVZ_rCtnZ2d@comcast.com...
> I've changed our web site to use a simple PHP script to send a demo
> request to our sales office. We use Postfix and everything is set up
> properly and works fine. I've been informed there are some security
> issues to review.

Since you do ZERO checking on the values it's nothing BUT security issues.
You should never pass user-submitted data to mail or data bases without
validating it.






>
> The script looks like:
>
>
>
>
> >
> /* Pre-defined script variables. */
> /* $eol = "\r\n"; */
> $eol = "\n";
> $mailto = 'sales@mydomain.com';
> $mailfrom = 'webserver@mydomain.com';
> $subject = 'Company Demo Request';
>
> /* Initialize a clean array to replace $_POST with clean data */
> $name = $_POST['name'];
> $title = $_POST['name'];
> $company = $_POST['name'];
> $email = $_POST['name'];
> $phone = $_POST['name'];
> $message = $_POST['name'];
>
> /* Build HTML $salesmessage variable to pass to mail script */
> $salesmessage = "" . $eol;
> $salesmessage .= "The following information comes from the company web
> site
".$eol;
> $salesmessage .= "demonstration link.

".$eol;
> $salesmessage .= "

Re: Securing an Email script

..oO(Sanders Kaufman)

>"Bill H" wrote in message
>news:VradnVdP25-dFL7anZ2dnUVZ_rCtnZ2d@comcast.com...
>> I've changed our web site to use a simple PHP script to send a demo
>> request to our sales office. We use Postfix and everything is set up
>> properly and works fine. I've been informed there are some security
>> issues to review.
>
>Since you do ZERO checking on the values it's nothing BUT security issues.

The user-submitted values are used only in the mail body. All the
headers are hard-wired in the script, so there's no way to inject some
more.

>You should never pass user-submitted data to mail or data bases without
>validating it.

Correct. And indeed the script has a lot of problems, but these are not
related to PHP - it's all the JS stuff:

* The JS code itself is invalid HTML.

* Proper redirects have to be done server-side, in case of PHP with a
header() call to send the appropriate HTTP status code and headers.

* Relying on JS-validation only is stupid and often dangerous. In this
case it's (luckily) not a security issue, but might still lead to empty
emails. Validation _must always_ be done on the server, JS can always
only be an addition.

* A proper form handler should redisplay the same form in case of an
error instead of relying on ugly and unreliable client-side behaviours.

So I would start with removing (or at least commenting-out) all the JS
thingies and thinking about server-side error handling.

Micha

Re: Securing an Email script

Bill H wrote:
> I've changed our web site to use a simple PHP script to send a demo request
> to our sales office. We use Postfix and everything is set up properly and
> works fine. I've been informed there are some security issues to review.
>
> The script looks like:
>
>
>
>
> >
> /* Pre-defined script variables. */
> /* $eol = "\r\n"; */
> $eol = "\n";
> $mailto = 'sales@mydomain.com';
> $mailfrom = 'webserver@mydomain.com';
> $subject = 'Company Demo Request';
>
> /* Initialize a clean array to replace $_POST with clean data */
> $name = $_POST['name'];
> $title = $_POST['name'];
> $company = $_POST['name'];
> $email = $_POST['name'];
> $phone = $_POST['name'];
> $message = $_POST['name'];
>
> /* Build HTML $salesmessage variable to pass to mail script */
> $salesmessage = "" . $eol;
> $salesmessage .= "The following information comes from the company web
> site
".$eol;
> $salesmessage .= "demonstration link.

".$eol;
> $salesmessage .= "

Re: Securing an Email script

On Oct 27, 8:27 pm, "Sanders Kaufman" wrote:
> "Bill H" wrote in message
>
> news:VradnVdP25-dFL7anZ2dnUVZ_rCtnZ2d@comcast.com...
>
> > I've changed our web site to use a simple PHP script to send a demo
> > request to our sales office. We use Postfix and everything is set up
> > properly and works fine. I've been informed there are some security
> > issues to review.
>
> Since you do ZERO checking on the values it's nothing BUT security issues.
> You should never pass user-submitted data to mail or data bases without
> validating it.
>
>
>
> > The script looks like:
>
> >
> >
> >
> > >
> > /* Pre-defined script variables. */
> > /* $eol = "\r\n"; */
> > $eol = "\n";
> > $mailto = 'sa...@mydomain.com';
> > $mailfrom = 'webser...@mydomain.com';
> > $subject = 'Company Demo Request';
>
> > /* Initialize a clean array to replace $_POST with clean data */
> > $name = $_POST['name'];
> > $title = $_POST['name'];
> > $company = $_POST['name'];
> > $email = $_POST['name'];
> > $phone = $_POST['name'];
> > $message = $_POST['name'];
>
> > /* Build HTML $salesmessage variable to pass to mail script */
> > $salesmessage = "" . $eol;
> > $salesmessage .= "The following information comes from the company web
> > site
".$eol;
> > $salesmessage .= "demonstration link.

".$eol;
> > $salesmessage .= "

Re: Securing an Email script

Jerry:

I'm not sure I understand the responses. It appears:

1) the script is safe because no user input is used in the header.
2) the script is safe because no user data is passed into the script or
database,
3) javascript shouldn't be used as an error trapping technique, although it
is safe

I don't validate the user input because I don't really care if the input is
valid or not; almost everyone who use the page gives good information since
they're asking us for something.

So, the script is safe but it would be wise to hire someone to build a
better script with proper error handling. Is this about correct?

Thanks,

Bill

"Jerry Stuckle" wrote in message
news:CNCdnTTVatATNL7anZ2dnUVZ_r2nnZ2d@comcast.com...
> Bill H wrote:
>> I've changed our web site to use a simple PHP script to send a demo
>> request to our sales office. We use Postfix and everything is set up
>> properly and works fine. I've been informed there are some security
>> issues to review.
>>
>> The script looks like:
>>
>>
>>
>>
>> >>

[snipped]

>> }
>> ?>
>>
>>
>>
>> The main issue I'm wondering about is if I control the to and from
>> address and header information for the mail, as I do above, is it
>> possible to inject something else into the email to hijack the mail
>> server?
>>
>> Thanks,
>>
>> Bill
>
> Well, you're placing anything in the header which comes from the user
> (i.e. from address, subject, etc.), so in that respect your script is
> safe.
>
> However, just to be safe, you should verify the data input by the user.
>
> --
> ==================
> Remove the "x" from my email address
> Jerry Stuckle
> JDS Computer Training Corp.
> jstucklex@attglobal.net
> ==================
>

Re: Securing an Email script

Bill H wrote:
> "Jerry Stuckle" wrote in message
> news:CNCdnTTVatATNL7anZ2dnUVZ_r2nnZ2d@comcast.com...
>> Bill H wrote:
>>> I've changed our web site to use a simple PHP script to send a demo
>>> request to our sales office. We use Postfix and everything is set up
>>> properly and works fine. I've been informed there are some security
>>> issues to review.
>>>
>>> The script looks like:
>>>
>>>
>>>
>>>
>>> >>>
>
> [snipped]
>
>>> }
>>> ?>
>>>
>>>
>>>
>>> The main issue I'm wondering about is if I control the to and from
>>> address and header information for the mail, as I do above, is it
>>> possible to inject something else into the email to hijack the mail
>>> server?
>>>
>>> Thanks,
>>>
>>> Bill
>> Well, you're placing anything in the header which comes from the user
>> (i.e. from address, subject, etc.), so in that respect your script is
>> safe.
>>
>> However, just to be safe, you should verify the data input by the user.
>>
>
>
> Jerry:
>
> I'm not sure I understand the responses. It appears:
>
> 1) the script is safe because no user input is used in the header.
> 2) the script is safe because no user data is passed into the script or
> database,
> 3) javascript shouldn't be used as an error trapping technique,
although it
> is safe
>
> I don't validate the user input because I don't really care if the
input is
> valid or not; almost everyone who use the page gives good information
since
> they're asking us for something.
>
> So, the script is safe but it would be wise to hire someone to build a
> better script with proper error handling. Is this about correct?
>
> Thanks,
>
> Bill
>

(Top posting fixed)

It is safe in that it can't be used to spam because no user input is in
the header. But you do have user data passed to the email, and without
validation it is dangerous.

Your CUSTOMERS use it to give good information. But hackers could use
it to potentially upload trojans or viruses to your system. In that
respect it is very unsafe. And spammers can use it to spam your personnel.

NEVER trust user input!

And please don't top post. Thanks.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: Securing an Email script

"Bill H" wrote in message
news:S8WdnU0gzc8afLnanZ2dnUVZ_u-unZ2d@comcast.com...
> Jerry:
>
> I'm not sure I understand the responses. It appears:
>
> 1) the script is safe because no user input is used in the header.
> 2) the script is safe because no user data is passed into the script or
> database,
> 3) javascript shouldn't be used as an error trapping technique, although
> it is safe
>
> I don't validate the user input because I don't really care if the input
> is valid or not; almost everyone who use the page gives good information
> since they're asking us for something.


You're *may* right about this last one - but being on the web means that
you'll be getting OTHER visitiors as well.
It's likely not your regular, casualy, friendly customers from whom you need
to protect yourself.




>
> So, the script is safe but it would be wise to hire someone to build a
> better script with proper error handling. Is this about correct?

Re: Securing an Email script

"shimmyshack" wrote in message
news:1193519779.915072.181330@v3g2000hsg.googlegroups.com...
> On Oct 27, 8:27 pm, "Sanders Kaufman" wrote:
>> "Bill H" wrote in message
>>
>> news:VradnVdP25-dFL7anZ2dnUVZ_rCtnZ2d@comcast.com...
>>
>> > I've changed our web site to use a simple PHP script to send a demo
>> > request to our sales office. We use Postfix and everything is set up
>> > properly and works fine. I've been informed there are some security
>> > issues to review.
>>
>> Since you do ZERO checking on the values it's nothing BUT security
>> issues.
>> You should never pass user-submitted data to mail or data bases without
>> validating it.
>>
>>
>>
>> > The script looks like:
>>
>> >
>> >
>> >
>> > >>
>> > /* Pre-defined script variables. */
>> > /* $eol = "\r\n"; */
>> > $eol = "\n";
>> > $mailto = 'sa...@mydomain.com';
>> > $mailfrom = 'webser...@mydomain.com';
>> > $subject = 'Company Demo Request';
>>
>> > /* Initialize a clean array to replace $_POST with clean data */
>> > $name = $_POST['name'];
>> > $title = $_POST['name'];
>> > $company = $_POST['name'];
>> > $email = $_POST['name'];
>> > $phone = $_POST['name'];
>> > $message = $_POST['name'];
>>
>> > /* Build HTML $salesmessage variable to pass to mail script */
>> > $salesmessage = "" . $eol;
>> > $salesmessage .= "The following information comes from the company
>> > web
>> > site
".$eol;
>> > $salesmessage .= "demonstration link.

".$eol;
>> > $salesmessage .= "

Re: Securing an Email script

On Mon, 29 Oct 2007 20:04:46 +0100, Steve wrote:
> complexity is !== security. simplicity most assuredly *is*.

Hmmm, that's nonsense offcourse. Simplicity makes it easier to secure =

things and spot possible threads. Simplicity itself offers no security =

whatsoever. I agree that a KISS method surely is the way to go however. =
=

Bloated 'I can do everything'-classes are only usefull for those ill =

equipped to write a method of their own or maybe stretched for time.
-- =

Rik Wasmus

Re: Securing an Email script

On Mon, 29 Oct 2007 20:27:10 +0100, Rik Wasmus =

wrote:

> On Mon, 29 Oct 2007 20:04:46 +0100, Steve wrote:
>> complexity is !== security. simplicity most assuredly *is*.
>
> Hmmm, that's nonsense offcourse. Simplicity makes it easier to secure =
=

> things and spot possible threads.

Hmm, threats ;P
-- =

Rik Wasmus

Re: Securing an Email script

"Rik Wasmus" wrote in message
news:op.t0y4z3e95bnjuv@metallium.lan...
On Mon, 29 Oct 2007 20:27:10 +0100, Rik Wasmus
wrote:

> On Mon, 29 Oct 2007 20:04:46 +0100, Steve wrote:
>> complexity is !== security. simplicity most assuredly *is*.
>
> Hmmm, that's nonsense offcourse. Simplicity makes it easier to secure
> things and spot possible threads.

Hmm, threats ;P

lol

Re: Securing an Email script

"Rik Wasmus" wrote in message
news:op.t0y4bkqz5bnjuv@metallium.lan...
On Mon, 29 Oct 2007 20:04:46 +0100, Steve wrote:
> complexity is !== security. simplicity most assuredly *is*.

>Hmmm, that's nonsense offcourse. Simplicity makes it easier to secure
>things and spot possible threads. Simplicity itself offers no security
>whatsoever.

ok...so i should have used == instead of ===

;^)

consider the substitution:

simplicity > complexity

and this trend:

simplicity->complexity
security--

for the reasons you state above...spotting threats.

>I agree that a KISS method surely is the way to go however.

fully.

>Bloated 'I can do everything'-classes are only usefull for those ill
>equipped to write a method of their own or maybe stretched for time.

exactly.

cheers