|  | preventing sendmail injection | | |
| | | RJ_32 |  |
|  Posted: Sun Aug 31, 2008 6:23 pm Post subject: preventing sendmail injection |  |
looking here:
LINK
it says that I have to be careful about what I send to the sendmail process
via popen(). Does that also apply to the Subject: line?
(I'm opening a process rather than simply using mail() so that I can set the
return-path header with sendmail's -f switch and catch bounces.)
My From: and To: are hardcoded and *not* taken from any webform textfields.
I'm using:
$i = preg_match_all('/[a-zA-Z0-9_]/', $subject, $arr);
on the $subject just in case. Is that the correct way to exclude any dangerous
characters? (IOW, I'm using a whitelist approach.)
Do I need to be concerned about the Subject line regardless? |
| |
| | | Michael Fesser | |
| | Posted: Sun Aug 31, 2008 6:36 pm Post subject: Re: preventing sendmail injection | |
..oO(RJ_32)
| Quote: | looking here:
LINK
it says that I have to be careful about what I send to the sendmail process
via popen(). Does that also apply to the Subject: line?
|
Yes. The Subject is a header, which makes it a possible target for an
injection attack.
| Quote: | (I'm opening a process rather than simply using mail() so that I can set the
return-path header with sendmail's -f switch and catch bounces.)
My From: and To: are hardcoded and *not* taken from any webform textfields.
I'm using:
$i = preg_match_all('/[a-zA-Z0-9_]/', $subject, $arr);
on the $subject just in case. Is that the correct way to exclude any dangerous
characters? (IOW, I'm using a whitelist approach.)
|
Preventing line breaks in the subject line should be enough.
Micha |
| |
| | | Jerry Stuckle | |
| | Posted: Sun Aug 31, 2008 6:37 pm Post subject: Re: preventing sendmail injection | |
| |  | |
RJ_32 wrote:
| Quote: | looking here:
LINK
it says that I have to be careful about what I send to the sendmail process
via popen(). Does that also apply to the Subject: line?
(I'm opening a process rather than simply using mail() so that I can set the
return-path header with sendmail's -f switch and catch bounces.)
My From: and To: are hardcoded and *not* taken from any webform textfields.
I'm using:
$i = preg_match_all('/[a-zA-Z0-9_]/', $subject, $arr);
on the $subject just in case. Is that the correct way to exclude any dangerous
characters? (IOW, I'm using a whitelist approach.)
Do I need to be concerned about the Subject line regardless?
|
Yes, you do. Anything in the header can be used as a potential SQL
injection point.
The main character you need to worry about is "\r". Most other
characters are OK, but "\r" indicates the end of the current header
entry and the beginning of a new one ("\r\r" signifies end of header).
But I always restrict subjects to printable ASCII characters and spaces
- no tabs, etc., just as a precaution. And that's if I allow the
subject line to pass - most of the time I place the user's subject in
the body of the message and have in the subject line "Message from
example.com" (or similar).
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
================== |
| |
| | | RJ_32 | |
| | Posted: Sun Aug 31, 2008 7:03 pm Post subject: Re: preventing sendmail injection | |
Michael Fesser wrote:
| Quote: | .oO(RJ_32)
looking here:
LINK
it says that I have to be careful about what I send to the sendmail process
via popen(). Does that also apply to the Subject: line?
Yes. The Subject is a header, which makes it a possible target for an
injection attack.
(I'm opening a process rather than simply using mail() so that I can set the
return-path header with sendmail's -f switch and catch bounces.)
My From: and To: are hardcoded and *not* taken from any webform textfields.
I'm using:
$i = preg_match_all('/[a-zA-Z0-9_]/', $subject, $arr);
on the $subject just in case. Is that the correct way to exclude any dangerous
characters? (IOW, I'm using a whitelist approach.)
Preventing line breaks in the subject line should be enough.
|
the author of the page I cited talks about removing the period. Why is that?
|
| |
| | | Jerry Stuckle | |
| | Posted: Sun Aug 31, 2008 7:18 pm Post subject: Re: preventing sendmail injection | |
| | | |
RJ_32 wrote:
| Quote: | Michael Fesser wrote:
.oO(RJ_32)
looking here:
LINK
it says that I have to be careful about what I send to the sendmail process
via popen(). Does that also apply to the Subject: line?
Yes. The Subject is a header, which makes it a possible target for an
injection attack.
(I'm opening a process rather than simply using mail() so that I can set the
return-path header with sendmail's -f switch and catch bounces.)
My From: and To: are hardcoded and *not* taken from any webform textfields.
I'm using:
$i = preg_match_all('/[a-zA-Z0-9_]/', $subject, $arr);
on the $subject just in case. Is that the correct way to exclude any dangerous
characters? (IOW, I'm using a whitelist approach.)
Preventing line breaks in the subject line should be enough.
the author of the page I cited talks about removing the period. Why is that?
Micha
|
No idea. But then I'm not overly impressed with that page. Talk about
making a relatively simple job complicated because < 1% of the user
might need it!
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
================== |
| |
| | | Jeff | |
| | Posted: Mon Sep 01, 2008 2:26 am Post subject: Re: preventing sendmail injection | |
| | | |
Jerry Stuckle wrote:
| Quote: | RJ_32 wrote:
looking here:
LINK
it says that I have to be careful about what I send to the sendmail
process
via popen(). Does that also apply to the Subject: line?
(I'm opening a process rather than simply using mail() so that I can
set the
return-path header with sendmail's -f switch and catch bounces.)
My From: and To: are hardcoded and *not* taken from any webform
textfields.
I'm using:
$i = preg_match_all('/[a-zA-Z0-9_]/', $subject, $arr);
on the $subject just in case. Is that the correct way to exclude any
dangerous
characters? (IOW, I'm using a whitelist approach.)
Do I need to be concerned about the Subject line regardless?
Yes, you do. Anything in the header can be used as a potential SQL
injection point.
The main character you need to worry about is "\r". Most other
characters are OK, but "\r" indicates the end of the current header
entry and the beginning of a new one ("\r\r" signifies end of header).
|
Why the \r instead of a \n? Or both?
My understanding is that \r\n is the recommended ending and just \n
always works for sending mail. That mail can come without \r. My
understanding may be flawed, it has been in the past!
Jeff
| Quote: |
But I always restrict subjects to printable ASCII characters and spaces
- no tabs, etc., just as a precaution. And that's if I allow the
subject line to pass - most of the time I place the user's subject in
the body of the message and have in the subject line "Message from
example.com" (or similar).
|
|
| |
| | | Curtis | |
| | Posted: Mon Sep 01, 2008 4:53 am Post subject: Re: preventing sendmail injection | |
| | | |
Jerry Stuckle wrote:
| Quote: | RJ_32 wrote:
looking here:
LINK
it says that I have to be careful about what I send to the sendmail
process
via popen(). Does that also apply to the Subject: line?
(I'm opening a process rather than simply using mail() so that I can
set the
return-path header with sendmail's -f switch and catch bounces.)
My From: and To: are hardcoded and *not* taken from any webform
textfields.
I'm using:
$i = preg_match_all('/[a-zA-Z0-9_]/', $subject, $arr);
on the $subject just in case. Is that the correct way to exclude any
dangerous
characters? (IOW, I'm using a whitelist approach.)
Do I need to be concerned about the Subject line regardless?
Yes, you do. Anything in the header can be used as a potential SQL
injection point.
|
The OP didn't mention storing anything in a DB. The main security
concern is overwriting headers, probably for spam. Stripping newlines,
as suggested earlier, is sufficient protection.
| Quote: | The main character you need to worry about is "\r". Most other
characters are OK, but "\r" indicates the end of the current header
entry and the beginning of a new one ("\r\r" signifies end of header).
|
Headers should end with CRLFs, "\r\n". The last header is proceeded by
two CRLFs.
| Quote: | But I always restrict subjects to printable ASCII characters and spaces
- no tabs, etc., just as a precaution. And that's if I allow the
subject line to pass - most of the time I place the user's subject in
the body of the message and have in the subject line "Message from
example.com" (or similar).
|
--
Curtis |
| |
| | | Jerry Stuckle | |
| | Posted: Mon Sep 01, 2008 10:42 am Post subject: Re: preventing sendmail injection | |
| | | |
Jeff wrote:
| Quote: | Jerry Stuckle wrote:
RJ_32 wrote:
looking here:
LINK
it says that I have to be careful about what I send to the sendmail
process
via popen(). Does that also apply to the Subject: line?
(I'm opening a process rather than simply using mail() so that I can
set the
return-path header with sendmail's -f switch and catch bounces.)
My From: and To: are hardcoded and *not* taken from any webform
textfields.
I'm using:
$i = preg_match_all('/[a-zA-Z0-9_]/', $subject, $arr);
on the $subject just in case. Is that the correct way to exclude any
dangerous
characters? (IOW, I'm using a whitelist approach.)
Do I need to be concerned about the Subject line regardless?
Yes, you do. Anything in the header can be used as a potential SQL
injection point.
The main character you need to worry about is "\r". Most other
characters are OK, but "\r" indicates the end of the current header
entry and the beginning of a new one ("\r\r" signifies end of header).
Why the \r instead of a \n? Or both?
My understanding is that \r\n is the recommended ending and just \n
always works for sending mail. That mail can come without \r. My
understanding may be flawed, it has been in the past!
Jeff
|
Because you're not talking about ending - you're looking for invalid
characters.
Some MTA's recognize CR or CRLF, but AFAIK, none recognize just LF as a
line ending character. \r will catch either way, so the request can be
rejected.
Note you should never strip invalid characters - rather, you should
reject the request.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
================== |
| |
| | | C. (http://symcbean.blogs | |
| | Posted: Mon Sep 01, 2008 1:05 pm Post subject: Re: preventing sendmail injection | |
| | | |
On 31 Aug, 22:03, RJ_32 <RJ...@none.com> wrote:
| Quote: | Michael Fesser wrote:
.oO(RJ_32)
looking here:
LINK
it says that I have to be careful about what I send to the sendmail process
via popen(). Does that also apply to the Subject: line?
Yes. The Subject is a header, which makes it a possible target for an
injection attack.
(I'm opening a process rather than simply using mail() so that I can set the
return-path header with sendmail's -f switch and catch bounces.)
My From: and To: are hardcoded and *not* taken from any webform textfields.
I'm using:
$i = preg_match_all('/[a-zA-Z0-9_]/', $subject, $arr);
|
I'd let them uses spaces too, but restrict to 50 chars.
| Quote: | on the $subject just in case. Is that the correct way to exclude any dangerous
characters? (IOW, I'm using a whitelist approach.)
Preventing line breaks in the subject line should be enough.
the author of the page I cited talks about removing the period. Why is that?
|
IIRC a . on its own indicates then end of a message in SMTP (therefore
subsequent content is the next SMTP command)
C. |
| |
| | | RJ_32 | |
| | Posted: Mon Sep 01, 2008 1:25 pm Post subject: Re: preventing sendmail injection | |
| | | |
Curtis wrote:
| Quote: |
The OP didn't mention storing anything in a DB.
|
right, below is what the quoted page said, talking about shell meta
characters. I might have misused the word injection, but I'd meant "injection
of problem characters into the stream piped to sendmail". The writer says that
such can be "disastrous" - I took that to maybe mean that a malicious user
could run shell commands of his choosing somehow.
(And btw, I'm merely taking the page user's supplied name e.g. "John Smith"
and using that in the email's Subject: line.)
"Sendmail Security
When calling the system mail program, we must be careful of what characters we
are sending to it. Because we are opening a Unix pipe, it is possible for
malicious users to enter shell meta characters into form inputs that later are
passed to sendmail. The results can be disastrous.
When creating a form handling script that eventually hands off user-entered
data to the mail program, you must screen user input carefully. Treat all user
input as if it were hostile. Start by removing shell meta-characters from any
input used by sendmail, such as To: and From: inputs, or even the Subject:
input of a feedback form.
Characters that must be removed are the period, for example, if you have an
input for the user name."
| Quote: | The main security
concern is overwriting headers, probably for spam. Stripping newlines,
as suggested earlier, is sufficient protection.
The main character you need to worry about is "\r". Most other
characters are OK, but "\r" indicates the end of the current header
entry and the beginning of a new one ("\r\r" signifies end of header).
Headers should end with CRLFs, "\r\n". The last header is proceeded by
two CRLFs. |
|
| |
| Page 1 of 2 .:. Goto page 1, 2 Next | |
|
|
