PHP email security on server

Forum Moderators: coopster

Message Too Old, No Replies

PHP email security on server

problems with php email security

mealybar

2:46 pm on Aug 31, 2005 (gmt 0)

Hello
Recently I have had a problem with someone (I think) trying to hack into my server through one of my mail() pages.

I have a series of text variables, some accessable to the user, like message, from, subject, etc and some just radio option boxes. This user has been able to change the variables hidden in the radio options; which brings my first question, Will this user have access to the contents of all of my variables on that page? (as some contain password for mysql server, etc)

In other emails (from the same person I'm guessing) have come through as 'Multipart MIME Messages', I have taken this as the person is trying to run a script on my server, am I right?

Would you be able to offer any advice as to how to stop this person? My php skills have extended to the emailpage and pages with database content, but I dont know anything on how to secure my forms and things. Is this a real threat?

Sorry so many questions,
Richard

dcrombie

3:25 pm on Aug 31, 2005 (gmt 0)

If by modifying the (hidden) variables in your form they can send an email to 'any' address then you have a serious problem.

In generaly, you should secure all pages and forms by cleaning and validating the input. Try searching for "PHP security".

mealybar

8:59 pm on Aug 31, 2005 (gmt 0)

I've been looking through the net, and my server and found that register_globals is actually on! I did the thing with the htaccess file to change this, but all my webserver came out with after that was internal server error 500. Is there another way to turn them off?

I'm just looking at strip_tags() at the moment, will this stop the MIME bit that I was getting above?

What will stop the person getting access to the radio (and maybe others) variable?

Richard

PeteM

4:23 pm on Sep 1, 2005 (gmt 0)

Try renaming .htaccess to php.ini.

Pete

mealybar

10:48 pm on Sep 1, 2005 (gmt 0)

Yesterday I read about the php.ini file, is it true that I will have to place it in all of my folders on my server? Will other settings on the server remain unchanged, or do I have to specify them all?

Thanks

mealybar

6:57 pm on Sep 10, 2005 (gmt 0)

I've now gone through allot of stuff, and to not much joy.

maxlength fields, validating email addresses, turned globals off, checked email addresses before scripts bring run ( mail() ). And still the same.

Can anyone shed some light?

hakre

8:19 am on Sep 11, 2005 (gmt 0)

my tip, keep ever a little rule in mind: input is as much corrupt as you could ever imagine ;).

at your state of knowledge, you think hidden values are hidden. that's not true: it's only an input field type "hidden" and it's everything else than hidden, it's very very visible, even if you can not see it.

a user can even submit data to your script from a form field which does not exist at all.

so keep in mind: whatever data comes into your script from outside, you have to ensure that the data is not malformed at all!

checkout the section variables from outside php [php.net] in the php documentation for more information which kind of data is available to be malformed.

i hope you got this clearly. so many words before answering your question:

Will this user have access to the contents of all of my variables on that page? (as some contain password for mysql server, etc)

there are two ways to answer your question. if the term "page" you refer to, is the page displayed in the browser, than this (and any other) user will have total access and control of the "variables" (correctly: form fields) on that page. just use the view source option of your browser to identify which variables can be read out and manipulated. if you find your mysql username and password in there, take down the page immediatly and consult a professional to solve your security issue(s), this is a very serious issue.

if you refer to your .php file on your server, all the variables are safe there until the attacker gains access to the filesystem on your server. that simple it is.