homepage Welcome to WebmasterWorld Guest from 54.234.60.133
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Subscribe and Support WebmasterWorld
Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
Security of the mail() function
blaketar




msg:3555133
 11:09 pm on Jan 22, 2008 (gmt 0)

I am reviewing some of the form scripts on our site while also studying some topics regarding injected headers for security.

One thing I don’t quite understand and hopefully someone can shed some light on it.

If my mail() variables are all hardcoded, for instance the to, subject and body how could a spammer send out a completely different email message to recipients?

Wouldn’t the spammers recipients get an email which had my hardcoded subject and body?

 

vincevincevince




msg:3555662
 12:24 pm on Jan 23, 2008 (gmt 0)

Be careful about the headers (From: etc) - those too need to be hardcoded and are the most frequently abused part.

phnord




msg:3557568
 6:23 am on Jan 25, 2008 (gmt 0)

If a spammer is sending out a different message to your recipient list, it most likely means he/she has hijacked your email list via other methods.

Doing full fledged injection attacks requires a decent amount of knowledge about your existing code.

blaketar




msg:3557884
 3:53 pm on Jan 25, 2008 (gmt 0)

I do believe our scripts are secure and kinda figured that most hard-coded script forms would be more difficult to abuse. Myself and one other person are the only two who know how the form/variables/process works.

An interesting idea, just like Apache logs ind. processes, it would be interesting to log ind. php functions. You could then review your "php-mail" log to scan for abuse...

coopster




msg:3558251
 10:50 pm on Jan 25, 2008 (gmt 0)

You can do that. An easy way would be to error_log [php.net] during your mailing routine.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About
© Webmaster World 1996-2014 all rights reserved