Do email forms need to be santized before sending?

Posted by levi on Server Fault See other posts from Server Fault or by levi
Published on 2012-03-22T15:23:14Z Indexed on 2012/03/22 17:33 UTC
Read the original article Hit count: 358

Filed under:
|

I have a client that keeps getting reports from godaddy's "websiteprotection.com" stating how the website is insecure.

Your website contains pages that do not properly sanitize visitor-provided input to make sure it contains no malicious content or scripts. Cross-site scripting vulnerabilities let malicious users execute arbitrary HTML or script code in another visitor's browser.

Output:

The request string used to detect this flaw was : /cross_site_scripting.?nasl.asp The output was : HTTP/1.1 404 Not Found\r Date: Wed, 21 Mar 2012 08:12:02 GMT\r Server: Apache\r X-Pingback:http://?CLIENTSWEBSITE.com/?xmlrpc.php\r Expires: Wed, 11 Jan 1984 05:00:00 GMT\r Cache-Control: no-cache, must-revalidate, max-age=0\r Pragma: no-cache\r Set-Cookie: PHPSESSID=?1jsnhuflvd59nb4trtquston50; path=/\r Last-Modified: Wed, 21 Mar 2012 08:12:02 GMT\r Keep-Alive: timeout=15, max=100\r Connection: Keep-Alive\r Transfer-Encoding: chunked\r Content-Type: text/html; charset=UTF-8\r \r

<div id="contact-form" class="widget"><form action="http://?CLIENTSWEBSITE.c
     om/<script>cross_site_?scripting.nasl</script>.asp" id="contactForm"
     meth od="post">

It looks like it has an issue with the contact form. All the contact form does is posts an ajax request to the same page, and than a PHP script mails the data (no database stuff).

Is there any a security issues here? Any ideas on how I can satisfy the security scanner?

Here is the form and script:

<form action="<?php echo $this->getCurrentUrl(); ?>" id="contactForm" method="post">
    <input type="text" name="Name" id="Name" value="" class="txt requiredField name" />
    //Some more text inputs

    <input type="hidden" name="sendadd" id="sendadd" value="<?php echo $emailadd ; ?>" />
    <input type="hidden" name="submitted" id="submitted" value="true" /><input class="submit" type="submit" value="Send" />
    </form>
    // Some initial JS validation, if that passes an ajax post is made to the script below

    //If the form is submitted
    if(isset($_POST['submitted'])) {

    //Check captcha 
if (isset($_POST["captchaPrefix"])) {

$capt = new ReallySimpleCaptcha();
$correct = $capt->check( $_POST["captchaPrefix"], $_POST["Captcha"] );
if( ! $correct ) { echo false; die(); } else {
$capt->remove( $_POST["captchaPrefix"] );
}

}


$dateon = $_POST["dateon"]; 
$ToEmail = $_POST["sendadd"]; 
$EmailSubject = 'Contact Form Submission from ' . get_bloginfo('title'); 
$mailheader = "From: ".$_POST["Email"]."\r\n"; 
$mailheader .= "Reply-To: ".$_POST["Email"]."\r\n"; 
$mailheader .= "Content-type: text/html; charset=iso-8859-1\r\n"; 

$MESSAGE_BODY = "Name: ".$_POST["Name"]."<br>"; 

$MESSAGE_BODY .= "Email Address: ".$_POST["Email"]."<br>"; 

$MESSAGE_BODY .= "Phone: ".$_POST["Phone"]."<br>"; 

if ($dateon == "on") {$MESSAGE_BODY .= "Date: ".$_POST["Date"]."<br>";}

$MESSAGE_BODY .= "Message: ".$_POST["Comments"]."<br>"; 

mail($ToEmail, $EmailSubject, $MESSAGE_BODY, $mailheader) or die ("Failure"); 

echo true; die(); 


} 

© Server Fault or respective owner

Related posts about security

Related posts about email