Security of the mail() function

Forum Moderators: coopster

Message Too Old, No Replies

Security of the mail() function

blaketar

11:09 pm on Jan 22, 2008 (gmt 0)

I am reviewing some of the form scripts on our site while also studying some topics regarding injected headers for security.

One thing I don’t quite understand and hopefully someone can shed some light on it.

If my mail() variables are all hardcoded, for instance the to, subject and body how could a spammer send out a completely different email message to recipients?

Wouldn’t the spammers recipients get an email which had my hardcoded subject and body?

vincevincevince

12:24 pm on Jan 23, 2008 (gmt 0)

Be careful about the headers (From: etc) - those too need to be hardcoded and are the most frequently abused part.

phnord

6:23 am on Jan 25, 2008 (gmt 0)

If a spammer is sending out a different message to your recipient list, it most likely means he/she has hijacked your email list via other methods.

Doing full fledged injection attacks requires a decent amount of knowledge about your existing code.

blaketar

3:53 pm on Jan 25, 2008 (gmt 0)

I do believe our scripts are secure and kinda figured that most hard-coded script forms would be more difficult to abuse. Myself and one other person are the only two who know how the form/variables/process works.

An interesting idea, just like Apache logs ind. processes, it would be interesting to log ind. php functions. You could then review your "php-mail" log to scan for abuse...

coopster

10:50 pm on Jan 25, 2008 (gmt 0)

You can do that. An easy way would be to error_log [php.net] during your mailing routine.