[es] - email form problem

Dukidule
Nis

Član broj: 26640
Poruke: 66
..nis1-nis.customer.sbb.co.yu.

Profil

^{31.01.2006. u 23:49 - pre 221 meseci}

Pre svega da naglasim da sam apsolutni laik za PHP ali sam se ipak usudio da napravim prost skript koji mi salje mail sa forme:

Code:
<?
$website="www.sajt.net";
$youremail="[email protected]";

$sendersname=$_POST['sendersname'];
$sendersemail=$_POST['sendersemail'];
$sendersphone=$_POST['sendersphone'];
$message=$_POST['message'];

$messagetext="$sendersname just sent a message from our website,
$website.\n\nTheir e-mail address was: $sendersemail and their phone:
$sendersphone\n\nTheir message:\n\n $message";

if(mail($youremail,"$website website feedback",$messagetext,"From: $sendersemail\n")) {
header( "Location: http://$website/thankyou.php" );
} else {
header( "Location: http://$website/error.php" );
}
?>

Problem je u tome sto mi stize na stotine mailova iste sadrzine:

Citat:

From: --><script>alert(\'wvs-xss-magic-string-485586978\');</script>
Sent: 31 January 2006 20:58
To: [email protected]
Subject: www.sajt.net website feedback

1 just sent a message from our website, www.sajt.net.

Their e-mail address was: --> alert(\'wvs-xss-magic-string-485586978\'); and their phone: 1

Their message:

1

Kako da se zastitim od ovoga?

Odgovor na temu

sale83
Australia
Sydney

Član broj: 41625
Poruke: 729
*.inabox.net.

+30 Profil

Re: email form problem

^{01.02.2006. u 09:28 - pre 221 meseci}

CjWeb2Mail thankyou.php Multiple Variable XSS

http://www.osvdb.org/displayvuln.php?osvdb_id=19497

Sto mozes danas ne ostavljaj za sutra!

Odgovor na temu

Dukidule
Nis

Član broj: 26640
Poruke: 66
..nis1-nis.customer.sbb.co.yu.

Profil

Re: email form problem

^{01.02.2006. u 12:55 - pre 221 meseci}

Citat:

sale83: CjWeb2Mail thankyou.php Multiple Variable XSS

http://www.osvdb.org/displayvuln.php?osvdb_id=19497

Dobro, ali kako da sprecim ovo? Da li su moguce neke izmene u onom PHP kodu koje bi onemogucile ovakve stvari?

Odgovor na temu

Nemanja Avramović
Engineering Manager
MENU Technologies
Beograd, Srbija

Moderator
Član broj: 32202
Poruke: 4391
195.252.99.*

Sajt: https://avramovic.info

+46 Profil

Re: email form problem

^{01.02.2006. u 13:16 - pre 221 meseci}

Citat:

CJWeb2Mail contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'name', 'message' and 'ip' variables upon submission to the 'thankyou.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Zaci treba da napravis validaciju forme koja ce proveravati validnost unete e-mail adrese i to je to. Potrazi na forumu ovde tu skripticu, bilo je govora o ovome. Takodje uradi strip_tags i jos neke poznate metode zastite od sql injection-a (mada ovo nije sql injection), a mozes i da ogranicis slanje maila na npr. 1 mail u roku od pola sata... mada, ako vise korisnika ima istu ip to moze da bude zeznuto... onda mozes da koristis sesije u istu svrhu, itd itd...

Laravel Srbija.

_{[NE PRUŽAM PODRŠKU ZA PHP PREKO PRIVATNIH PORUKA!]}

Odgovor na temu