Spamproofing a send mail script

Hi,

I've a script that sends mail from my site.

I've included a regexp which should return 403 forbidden if you try to
hijack it and send to another address.

How can I test to make sure it works? E.g. can I try to spoof it to send
mail to my other e-mail address?

Thanks for your help.

The script is:



$mailto = 'dvh@example.com' ;


$subject = "newsletter signup" ;

$formurl = "http://www.example.com/index.html" ;
$errorurl = "http://www.example.com/signuperror.html" ;
$thankyouurl = "http://www.example.com/signed.html" ;

$uself = 0;

$headersep = (!isset( $uself ) || ($uself == 0)) ? "\r\n" : "\n" ;
$name = $_POST['name'] ;
$email = $_POST['email'] ;
$comments = $_POST['comments'] ;
$http_referrer = getenv( "HTTP_REFERER" );

if (!isset($_POST['email'])) {
header( "Location: $formurl" );
exit ;
}
if (empty($name) || empty($email) || empty($comments)) {
header( "Location: $errorurl" );
exit ;
}
if ( ereg( "[\r\n]", $name ) || ereg( "[\r\n]", $email ) ) {
header( "Location: $errorurl" );
exit ;
}

if (get_magic_quotes_gpc()) {
$comments = stripslashes( $comments );
}

if (!eregi('^[-A-Za-z0-9_]+@(example.com)$', $mailto)) {
header('HTTP/1.0 403 Forbidden');
die('Access denied.');
}


$messageproper =

"This message was sent from:\n" .
"$http_referrer\n" .
"----------------------------------------------------------- -\n" .
"Name of sender: $name\n" .
"Email of sender: $email\n" .
"------------------------- COMMENTS -------------------------\n\n" .
$comments .
"\n\n------------------------------------------------------- -----\n" ;

mail($mailto, $subject, $messageproper,
"From: \"$name\" <$email>" . $headersep . "Reply-To: \"$name\" <$email>" .
$headersep . "X-Mailer:

chfeedback.php 2.08" );
header( "Location: $thankyouurl" );
exit ;

?>

Re: Spamproofing a send mail script

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

DVH wrote:
> Hi,
>
> I've a script that sends mail from my site.
>
> I've included a regexp which should return 403 forbidden if you try to
> hijack it and send to another address.
>
> How can I test to make sure it works? E.g. can I try to spoof it to send
> mail to my other e-mail address?
>
> Thanks for your help.
>
> The script is:
>
> >
>
> $mailto = 'dvh@example.com' ;
>
>
> $subject = "newsletter signup" ;
>
> $formurl = "http://www.example.com/index.html" ;
> $errorurl = "http://www.example.com/signuperror.html" ;
> $thankyouurl = "http://www.example.com/signed.html" ;
>
> $uself = 0;
>
> $headersep = (!isset( $uself ) || ($uself == 0)) ? "\r\n" : "\n" ;
> $name = $_POST['name'] ;
> $email = $_POST['email'] ;
> $comments = $_POST['comments'] ;
> $http_referrer = getenv( "HTTP_REFERER" );
>
> if (!isset($_POST['email'])) {
> header( "Location: $formurl" );
> exit ;
> }
> if (empty($name) || empty($email) || empty($comments)) {
> header( "Location: $errorurl" );
> exit ;
> }
> if ( ereg( "[\r\n]", $name ) || ereg( "[\r\n]", $email ) ) {
> header( "Location: $errorurl" );
> exit ;
> }
>
> if (get_magic_quotes_gpc()) {
> $comments = stripslashes( $comments );
> }
>
> if (!eregi('^[-A-Za-z0-9_]+@(example.com)$', $mailto)) {
> header('HTTP/1.0 403 Forbidden');
> die('Access denied.');
> }
>
>
> $messageproper =
>
> "This message was sent from:\n" .
> "$http_referrer\n" .
> "----------------------------------------------------------- -\n" .
> "Name of sender: $name\n" .
> "Email of sender: $email\n" .
> "------------------------- COMMENTS -------------------------\n\n" .
> $comments .
> "\n\n------------------------------------------------------- -----\n" ;
>
> mail($mailto, $subject, $messageproper,
> "From: \"$name\" <$email>" . $headersep . "Reply-To: \"$name\" <$email>" .
> $headersep . "X-Mailer:
>
> chfeedback.php 2.08" );
> header( "Location: $thankyouurl" );
> exit ;
>
> ?>
>
>

You _must_ check for newlines in form to e-mail scripts. If not, a
malicious user can add their own headers.

- --
Brendan Gillatt
brendan {at} brendangillatt {dot} co {dot} uk
http://www.brendangillatt.co.uk
PGP Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xBACD7433
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (MingW32)

iD8DBQFHKieokA9dCbrNdDMRAkxRAKDKg/lgihg2TDL0jRzd7A9PXA8ZrQCd Hyjo
DR9g97F30LDbwK4nhCAJ9aU=
=XDYz
-----END PGP SIGNATURE-----

Re: Spamproofing a send mail script

"Brendan Gillatt" wrote
in message news:fvqdnduuN-bqurfaRVnyggA@pipex.net...

>>
>>
>
> You _must_ check for newlines in form to e-mail scripts. If not, a
> malicious user can add their own headers.

Thanks Brendan.