is it possible for a spammer to use dbman to send emails by somehow inserting a cc: or bcc: into the header of a message. i notice the spambuster hack shows the sender's email address in the FROM box of the email message. from what i've read, that is the problem with an incorrect implementation of formmail -- form variables should not be used in the header of an email.

I'd like to read any info you have about how to make the mods more secure. I don't know what is possible and what isn't. Hackers are a lot smarter than I am.
:-)

I can't guarantee full security on anything, and I don't think anyone can.

Edited to add:

I found a page about it in a discussion of PHP. I think, from the information that it says on the page -- http://www.nyphp.org/...header_injection.php -- that I have enough safeguards in my checking that the email address is in the proper format. If anyone has any suggestions as to how to make it more secure, I'd gladly incorporate whatever code you'd like to offer, and give you full credit.


JPD
----------------------------------------------------
JPDeni's DBMan-ual
How to ask questions the smart way.

good article but a little over my head! is there more checking than this?

what prevents the %0a etc being included in one of these two form fields, thus injecting Bcc header? i'm struggling to understand this because i get a lot of what i hope is just attempts to determine if i'm vulnerable. i hope they're not successful!

I don't know what %0a would do. However, you can do some testing for me to be sure things work and, if they do, I can make a change in the mod.

Change



to



This check of email isn't quite as complicated as the one on that php page, but I understand it better. Here's what it means:

Start with one or more characters that are letters, numbers, periods, underscores, percent signs or hyphens
followed by an @ sign
followed by one or more characters that are letters, numbers, periods or hyphens
followed by a "dot"
followed by 2 to 4 letters, at the end of the string.
(and don't worry about whether letters are upper or lower case)

Compare that to the original, which is
One or more characters
followed by an @ sign
followed by one or more characters
followed by a "dot"
followed by one or more characters

The new one is probably more secure than the one currently in the mod, but not perfect. I read that a regular expression which would cover almost every conceivable email address that somebody wrote is 6,598 characters long. And it's still not 100%.

As for the subject line, what are the strings that might cause a problem? They can go on lines that look something like this:




Add one line for every type of bad text that you can think of. :-)

If you have this up and running and would be willing to test it out, that would be great.


JPD
----------------------------------------------------
JPDeni's DBMan-ual
How to ask questions the smart way.

i entered the following as the sender's email address:

substituting real email addresses that i check. before your solution, the script sent the email to all of the addresses in the CC and BCC parts. after your solution i got the error that email address was not in correct format. so hopefully that fixed it.

my solution for the subject, was to change the script to hardcode the subject and put the sender's "subject" in the body by changing:

to:


this would probably be the safest solution to the email address problem too. just hardcode the admin email address and put the sender's email address in the body. by hardcode, i mean use the database-defined admin email address.

i guess dbman is not as vulnerable to this type of attack because you can't google the send_email link.

It is good to know that the email thing works. Thanks.

Your workaround for the subject works. You could also have something like:




Another option would be to only allow registered users to send email from the database. That way the script can just look up the sender's address. This would be most secure for the recipient of the email, especially if the secure password lookup mod was used. It would assure that the email address is a real one. I guess I can have several "flavors" of the mod available, depending on the user's preference.

One thing that hadn't occurred to me at the time that I wrote the mod was that there really ought to be a field in the database for each user to indicate whether they are willing to accept emails from people through their records.


JPD
----------------------------------------------------
JPDeni's DBMan-ual
How to ask questions the smart way.

Just curious... what would be the reason for going thru all the bcc and cc trouble? Why wouldn't the spammer just stick in a bunch of emails separated by commas and not worry about the "bcc" ?

In addition, the above article is a good reason to "turn off" any scripts that come "free" with your webhosting that you aren't using. We've gone in and renamed all of our "auto-responder" and formmail and wwwthreads scripts that our host "provides" as a service so that they no longer work. Many of these "free" scripts are old versions that have been hacked and exploited and are well known.

Also, also - filter out any script code (which I believe dbman does) from the input fields. I also limit all of my input tags using the "maxlength" attribute set to a realistic number, however I'm not so sure that'd work if being passed along in a URL instead of actually filling out the form.

Good question. None of this stuff ever occurred to me before. Just too trusting, I guess. But with the new code, the commas wouldn't work either because the code doesn't allow commas.

DBMan filters out any SSI code. I don't know if other code has to be filtered out or not.


JPD
----------------------------------------------------
JPDeni's DBMan-ual
How to ask questions the smart way.

they wouldn't put addresses separated by commas because it is the from field that we're letting them enter, not the to field. if they can put in newline characters and then enter new header lines that aren't in the form (like cc and bcc) they can put in lots of email addresses to send to. they can also insert html code. i found a great article on how it's done http://securephp.damonkohler.com/....php/Email_Injection -- the article is about php but much of it will work in perl code.

and my previous comment about formmail should have been cgiemail. i think formmail is much easier to spam from what i've read. i think it is possible to set up cgiemail securely.

I definitely appreciate the information and the ability to update the mod. It was an interesting and complete article, which makes everything clearer to me.

I ended up adding the more advanced email matching which, as you said, gives an error when you try to add more than one line in the sender field. And I changed the subject for the email to "A message from $html_title." Of course, any user could change it to whatever they wanted, but this uses an already-existing variable so that I don't have to redefine a new one. Also, if I get an email that has a subject line with my name, I delete it without reading. They've always been spam mail.

I really appreciate all of your help here.

Edited to add:
I really think the new structure is safe in this regard. If there is more than one @ sign in the sender field, it will cause an error, so there can only be one email address.


JPD
----------------------------------------------------
JPDeni's DBMan-ual
How to ask questions the smart way.