Can you share with us the current mod_security configuration, so we can have an idea of what filtering it is doing (both out of curiosity and also to help predict any problems we might have with legitimate scripts)?
-
-
I made a few modifications to that PHP script.
As you're passing data that can be written to the $header variable, it's wise to run some checks on those pieces of information.
I used the safe() function that was posted by DJN earlier on in this thread.
You can also use the function on the other data being passed if you need to, but the most dangerous information is being passed to the headersPHP Code:<?
if(!empty($_POST['sender_mail']) || !empty($_POST['sender_message']) || !empty($_POST['sender_subject']) || !empty($_POST['sender_name']))
{
function safe( $email ) {
return ( preg_replace(array("/\r/i","/\n/i", "/%0a/i", "/%0d/i", "/Content-Type:/i", "/bcc:/i", "/to:/i", "/cc:/i"), "", $email) );
}
$to = "you@email.com";
$subject = stripslashes($_POST['sender_subject']);
$body = stripslashes($_POST['sender_message']);
$body .= "\n\n---------------------------\n";
$body .= "Mail sent by: " . $_POST['sender_name'] . " <" . $_POST['sender_mail'] . ">\n";
$body .= "Website: " . $_POST['sender_website'] . "\nPhone:" . $_POST['sender_phone'] . "\n";
$body .= "IP Address: " . $_SERVER['REMOTE_ADDR'] . "\n";
$header = "From: " . safe($_POST['sender_name']) . " <" . safe($_POST['sender_mail']) . ">\n";
$header .= "Reply-To: " . safe($_POST['sender_name']) . " <" . safe($_POST['sender_mail']) . ">\n";
$header .= "X-Mailer: PHP/" . phpversion() . "\n";
$header .= "X-Priority: 1";
if(@mail($to, $subject, $body, $header))
{
echo "output=sent";
} else {
echo "output=error";
}
} else {
echo "output=error";
}
?>
DavidLast edited by sdjl; 11-19-2005, 08:19 AM.-----
Do you fear the obsolescence of the metanarrative apparatus of legitimation?Comment
-
I really shouldn't post code before duly testing it and double-checking the docs. The safe() function will output warnings at E_ALL & ~E_NOTICE level and sometimes will just empty the $email variable even when its content is legit. Sorry about that.
I've since rewritten (AND tested) the thing thus:
function safe( $email ) {
return ( preg_replace(array("/\r/i","/\n/i", "/%0a/i", "/%0d/i", "/Content-Type:/i", "/bcc:/i", "/to:/i", "/cc:/i"), "", $email) );
}
So far it does the job cleanly, should anybody see any mishap please post it here...
BTW, mod_security is great news. Will we be allowed to configure it in .htaccess? I agree that the final responsibility for security belongs to the script, but there is stuff (say forums or phpList) where I'd appreciate using it as a temporary barrier until a patch is issued, should any new vulnerability become fashionable...Comment
-
Works great man, thanks dude
Code:this is a test of this email form --------------------------- Mail sent by: Jow Blow <joeb@blow.com> Website: http:// Phone:12345 IP Address: xx.xx.xx.xx .
Comment
-
I'm honestly not sure if you're able to configure your own mod_security rules via .htaccess at this point, I've not worked that far into it. However, it should work.Originally posted by djn
Comment
-
Is it possible that mod_security sends email to account contact email, when it finds something suspicious?Comment
-
Sorry, that is not an option.Originally posted by PedjaComment
-
Originally posted by PedjaWhilst you can't get mod_security to send you an email, you can setup PHP error logging to email you when it comes across a 406 error. I have this setup to send me a debug_backtrace() as well as session dump and the script that was called.Originally posted by AndrewT
Gives me some insight as to what went wrong and how i can fix it
It's also nice to have a beautified 406 page, the default one looks a little bland
David-----
Do you fear the obsolescence of the metanarrative apparatus of legitimation?Comment
-
Is that a flash 8 file? I am having difficulties opening it... I am just curious on how you did that? I'm a newbe to flash. I am currently using flash7Originally posted by AndrewTI'm honestly not sure if you're able to configure your own mod_security rules via .htaccess at this point, I've not worked that far into it. However, it should work.Sorry I gave up blogging for web design.Comment
-
It's flash 8Originally posted by DaveComment
-
I've been looking at this thread, and I'm a bit puzzled why a cloaked redirect wouldn't avoid the problem.
I.e. use a random post action on your contact form, like this:
<input type="hidden" name="recipient" value="randomnumbersandlettershere">
And in your formmail.php:
$recipient_array = array('randomnumbersandlettershere'=>'info@example .com');
(The above is the method used by the present boaddrink script.)
Or would the form still be piggybacked?~ Tim Gallant ~ http://www.pactumweb.comComment
-
That may not be a problem in itself.Originally posted by timg
However, any user data used in the mail headers might be a problem. AFAIK that's where the current problem has been centered.
"Whatcha mean I shouldn't be rude to my clients?! If you want polite then there will be a substantial fee increase." - BuddhaComment
-
yeah the issue is a bot is actually using your form so the redirect would say the mail was just fine. It is jut adding things to the headers.Dan BlombergComment
-
Okay, thanks, guys.
So, to be clear re that defensive php code on page 5 of this thread: does that go in the form itself on the web page? Or does it go in the formmail script? I'm not clear how to use this.~ Tim Gallant ~ http://www.pactumweb.comComment
-
Not sure which code your referring to here. I only have two pages (with 40 items each) to this thread. [I notice that each posts is numbered in the righthand corner.] However, with out seeing your own code I have no idea what measures you need to take."Whatcha mean I shouldn't be rude to my clients?! If you want polite then there will be a substantial fee increase." - BuddhaComment
Comment