Vectors and 3D Models
Local Search - Internet
Weather Information
Get the App for Smartphones and Tablets

Go Back


WhmSoft Free Articles Directory
Free Articles for Reprint
Free Articles to Publish
Free Articles for Newsletters
Videos to Watch


Page Generation Date and Time:
11/21/2024 09:11:09

 
Free the Animation VR / AR
Play to reveal 3D images and 3D models!
Demonstration A-Frame / Multiplayer
Android app on Google Play
 
vlrPhone / vlrFilter / vlrMemos
Project of very low consumption, radiation and bitrate softphones / Multifunction Audio Filter with Remote Control / App to measure the quality of the voice!



 
 
Alexa Data
 

Go To Articles Directory Home Page

To get the current article, - See Below (at the bottom of the page) -.
For top news titles, see below.
Web sites and videos listed in this page are frequently updated.
If you find that this page is useful (quality of web sites, images and videos, ...), you can add it to your favorites.
Bookmark Page !

Tell a Friend:



With your mobile phone (WAP / I-Mode / iPhone / PDA), for free:
The Top News - http://www.whmsoft.net/services/wap/news.php
The Daily Files - http://www.whmsoft.net/services/wap/get.php
All the Directory Files - http://www.whmsoft.net/services/wap/choose.php

Web version of feeds:
Podcast Music - http://www.whmsoft.net/services/web/wpodcast.php
Daily Files - http://www.whmsoft.net/services/web/wget.php

You can play the Guitar Drum Revolution game (flash game) by following the link below:
Play Guitar Drum Revolution Game


You can play free online games (flash games) by following the link below:
Free Online Games

Play the samples below:
Dark WatersRunning JesusWhack A BossMuay Thai 2Mysteries Of Horus
Dark WatersRunning JesusWhack A BossMuay Thai 2Mysteries Of Horus

You can view the people (celebrities) news and the front page news (with videos, images and constant updates) by following the link below:
View Recent News
or by visiting the WhmSoft Service blog:
News Photos Slideshows


Article Keyword Videos to Watch
Internet
Click on the image to start the video.



Related Topics
Images - Links - Articles

Houston


Related Images



Article Category Videos to Watch
Internet
Go to the Videos Pages


Security Hole Mail Header Injection at PHP

If you use PHP language to send an email (especially if using HTML form), you must take extra precautions. In the last few weeks, many have tried actively exploiting PHP scripts that use mail() function:

mail($recipient, $subject, $message, [$extraheaders], [$extraparams]);

Most general mistakes that have done by PHP programmer are, they didn't validate every variables that coming to their server. If there's some variables from HTML form, then someone can adding any header into it and that can cause trouble to your server or might send spams by using your server.

As an example, let see this sample code:

mail("me@example.net", $subject, $text, "From: $emailn");

would have security hole if you didn't validate $subject variable and $email variable.

The simple way to detect header injection exploitation is by checking whether there's newline character (r or n) at those variables. Here's the example to check $subject variable:

if (eregi("r", $subject) || eregi("n", $subject)) {
die("Why??");
}

Make sure that you check every variable that coming to your server. Beside the example above, you must also check $email variable that being used in mail() function.

Here's the sample PHP code that i've used to prevent spam injection (your critics and suggestions are very welcome)

function logbad($value)

{
$report_to = "your_email";
$name = "www.monx007.com";
$mail = "from_email";

// replace this with your own get_ip function...

$ip = (empty($_SERVER['REMOTE_ADDR'])) ? 'empty'
: $_SERVER['REMOTE_ADDR'];

$rf = (empty($_SERVER['HTTP_REFERER'])) ? 'empty'
: $_SERVER['HTTP_REFERER'];

$ua = (empty($_SERVER['HTTP_USER_AGENT'])) ? 'empty'
: $_SERVER['HTTP_USER_AGENT'];

$ru = (empty($_SERVER['REQUEST_URI'])) ? 'empty'
: $_SERVER['REQUEST_URI'];

$rm = (empty($_SERVER['REQUEST_METHOD'])) ? 'empty'
: $_SERVER['REQUEST_METHOD'];


$headers = "MIME-Version: 1.0n";

$headers .= "Content-type: text/plain; charset=iso-8859-1n";

$headers .= "X-Priority: 1n";

$headers .= "X-MSMail-Priority: Normaln";

$headers .= "X-Mailer: phpn";

$headers .= "From: "".$nama."" rnrn";

@mail
(
$report_to
,"[ABUSE] mailinjection @ " .
$_SERVER['HTTP_HOST'] . " by " . $ip
,"Stopped possible mail-injection @ " .
$_SERVER['HTTP_HOST'] . " by " . $ip .
" (" . date('d/m/Y H:i:s') . ")rnrn" .
"*** IP/HOSTrn" . $ip . "rnrn" .
"*** USER AGENTrn" . $ua . "rnrn" .
"*** REFERERrn" . $rf . "rnrn" .
"*** REQUEST URIrn" . $ru . "rnrn" .
"*** REQUEST METHODrn" . $rm . "rnrn" .
"*** SUSPECTrn--rn" . $value . "rn--"
,$headers
);

}

// Check 1

//First, make sure the form was posted from a browser.

// For basic web-forms, we don't care about anything

// other than requests from a browser:

if(!isset($_SERVER['HTTP_USER_AGENT']))
{
die('Forbidden - You are not authorized to view this page (0)');
exit;
}

// Cek 2

// Make sure the form was indeed POST'ed:

// (requires your html form to use: action="post")

if(!$_SERVER['REQUEST_METHOD'] == "POST")

{
die('Forbidden - You are not authorized to view this page (1)');

exit;

}

// Host names from where the form is authorized

// to be posted from:

$authHosts = array("yourdomain.com");

// Where have we been posted from?

$fromArray = parse_url(strtolower($_SERVER['HTTP_REFERER']));

// Test to see if the $fromArray used www to get here.

$wwwUsed = strpos($fromArray['host'], "www.");

// Make sure the form was posted from an approved host name.

if(!in_array(($wwwUsed === false ? $fromArray['host'] :
substr(stristr($fromArray['host'], '.'), 1)), $authHosts))

{
logbad("Form was not posted from an approved host name");

die(' Forbidden - You are not authorized to view this page (2)');

exit;

}

// Attempt to defend against header injections:

$badStrings = array("content-type:",
"mime-version:",
"content-transfer-encoding:",
"multipart/mixed",
"charset=",
"bcc:",
"cc:");

// Loop through each POST'ed value and test if it contains

// one of the $badStrings:

foreach($_POST as $k => $v)

{

foreach($badStrings as $v2)
{

if(strpos(strtolower($v), $v2) !== false)
{

logbad($v);

die('Form processing cancelled: string
(`'.$v.'`) contains text portions that
are potentially harmful to this server. Your input
has not been sent! Please use your browser's
`back`-button to return to the previous page and try
rephrasing your input.');

exit;

}

}

}


// Made it past spammer test, free up some memory

// and continuing the rest of script:

unset($k, $v, $v2, $badStrings, $authHosts, $fromArray, $wwwUsed);

See these sites below to find additional information:

* http://securephp.damonkohler.com/index.php/Email_Injection

* http://us2.php.net/mail (look at the comment section)


Source:

Security Hole Mail Header Injection at PHP


About the Author: Copyrighted by Monx Digital Library




Recommended Web Site(s):

Free the Animation Game

Recommended WhmSoft Web Sites, Feeds and WAP Address:

WhmSoft Software Home Page - Software
WhmSoft Services Login Page - Music and Images
WhmSoft Moblog Home Page - Blog - Photo Gallery
WhmSoft Free Online Games Home Page - Flash Games
WhmSoft Services RSS Feed - Daily Music, Image and 3D Flash Animation
Classical Music with Drum RSS Feed - MIDI and MP3 Files
Classical Music with Drum Podcast Feed - MP3 and MP3 Files
WAP / I-Mode / PDAs - Daily Music, Image and Flash Animation

Home Pages:

WhmSoft Free Articles for Reprint Home Page
WhmSoft Services Home Page - Music and Images
Copyright (C) 2006-2024 WhmSoft - All Rights Reserved.