Page 1 of 1

is stripslashes causing the problem?

Posted: Thu Mar 23, 2006 9:57 am
by dru_nasty
I have a form to send html email. I've used this same code on another server and all works fine.
I fill out the form (with the ability to use html) and it sends to emails from a db.

I tried using it for another site on another server and the script echos the emails it was sent to, but the emails never go through. I'm only posting this little snippet since it's where I believe the problem to be. If otherwise, I can post the entire script.

Code: Select all

while ($row = mysql_fetch_array($result)) {
		set_time_limit(0);
		$email = $row['email'];
		mail("$email", stripslashes($_POST[subject]), stripslashes($_POST[message]), $headers);
		echo "newsletter sent to: $email<br>";
My guess is that it has something to do with the stripslashes in the mail() function.
I know this can cause issues with magic_quotes (which I'm not that familiar with, I'm still a newb).
So here is how the php is configured on this server if any of this matters:

magic_quotes_gpc On On
magic_quotes_runtime Off Off
magic_quotes_sybase Off Off

Thanks!

Posted: Thu Mar 23, 2006 10:16 am
by mattcooper
Try this...

Code: Select all

$subject=stripslashes($_POST['subject']);
$message=stripslashes($_POST['message']);

mail($email, $subject, $message, $headers);
Let me know how you go!

Posted: Thu Mar 23, 2006 10:44 am
by dru_nasty
mattcooper wrote:Try this...

Code: Select all

$subject=stripslashes($_POST['subject']);
$message=stripslashes($_POST['message']);

mail($email, $subject, $message, $headers);
Let me know how you go!
That did the trick! Thanks :D

What would you say it was. The double quotes around email, or the no use of single quotes around the subject and message?

Posted: Thu Mar 23, 2006 11:06 am
by feyd
you have a great potential for helping spammers do their thing with this code.

viewtopic.php?t=44097 should be of great interest.

Posted: Thu Mar 23, 2006 11:53 am
by dru_nasty
Here is the entire script. I checked out that thread and also did some more searching on the subject. Jeez, nothing is safe!
I gathered that there is no true way to stop spammers entirely, but there are a number of preventative measures that can be taken to lower the chance at being used.
Within my code, I'm not sure where to begin. I don't want to spend hours obsessing over security for this smalltime mailer, but I would like to lower the probability of being used.
Anyone have any ideas for this code:

Code: Select all

<?php
if ($_POST[op] != "send") {
	echo "
	<HTML>
	<HEAD>
	<TITLE>Send a Newsletter</TITLE>
	</HEAD>
	<BODY>
	<h1>Email Blast</h1>
	<form method=\"post\" action=\"$_SERVER[PHP_SELF]\">
	<P><strong>Subject:</strong><br>
	<input type=\"text\" name=\"subject\" size=30></p>
	<P><strong>Mail Body: (html emails can be sent)</strong><br>
	<textarea name=\"message\" cols=50 rows=10 wrap=virtual></textarea>
	<input type=\"hidden\" name=\"op\" value=\"send\">
	<p><input type=\"submit\" name=\"submit\" value=\"Send It\"></p>
	</FORM>
	</BODY>
	</HTML>";

} else if ($_POST[op] == "send") {
	if (($_POST[subject] =="") || ($_POST[message] == "")) {
		header("Location: send_mail.php");
		exit;
	}

	$conn = mysql_connect("host", "username", "password") or die(mysql_error());
	mysql_select_db("dbname",$conn)  or die(mysql_error());

	$sql = "select email from subscribers";
	$result = mysql_query($sql,$conn) or die(mysql_error());

	

	$headers = "MIME-Version: 1.0\r\n";
	$headers .= "Content-Type: text/html; charset=iso-8859-1\r\n";
	$headers .= "From: Newsletter <sales@domainname.com>\r\n";
		
              while ($row = mysql_fetch_array($result)) {
		set_time_limit(0);
		$email = $row['email'];
	       $subject=stripslashes($_POST['subject']);
		$message=stripslashes($_POST['message']);
		mail($email, $subject, $message, $headers);
	       echo "newsletter sent to: $email<br>";
	}
}
?>

Posted: Thu Mar 23, 2006 12:45 pm
by mattcooper
feyd wrote:you have a great potential for helping spammers do their thing with this code.
I fully take your point. However, that was not my intention (assuming, that is, that you directed that at me!) - being a victim of spam at the moment, I ought to have thought of it.

Cheers for pointing that out.

Posted: Thu Mar 23, 2006 1:27 pm
by matthijs
dru_nasty, the most important issue is that spammers cannot misuse your script to send mail to others. With every form online you will recieve some spam. But that's not a problem, merely an annoyance for you.

But if your script is vulnerable to emailinjection (see the other 890 threads) your script will be used to send spammail to thousands of others, from your domain.

Not too long ago I had to do a cleanup on a domain from which a few thousand mails were sent ....

The weak point is in the $headers. If you include a $_POST['fromemail'] directly into that, it can be misused. Like this:

Code: Select all

$headers = "MIME-Version: 1.0\r\n";
    $headers .= "Content-Type: text/html; charset=iso-8859-1\r\n";
    $headers .= "From: Newsletter <$_POST['fromemail']>\r\n";
But in your case it looks ok, as you hardcoded the $headers.

But do read some more about it, as it is an important issue. Luckily not too hard to solve.

One other thing, $_SERVER["PHP_SELF"] can also be tainted. So hardcode that value as well or use htmlentities($_SERVER["PHP_SELF"] , ENT_QUOTES, 'UTF-8')

Posted: Thu Mar 23, 2006 1:49 pm
by dru_nasty
Thanks for all the input. I was unaware of the great amount of vulnerability. I'll def do some research on the matter to try and prevent it from happening. :)