Do email forms need to be santized before sending?
Posted
by
levi
on Server Fault
See other posts from Server Fault
or by levi
Published on 2012-03-22T15:23:14Z
Indexed on
2012/03/22
17:33 UTC
Read the original article
Hit count: 358
I have a client that keeps getting reports from godaddy's "websiteprotection.com" stating how the website is insecure.
Your website contains pages that do not properly sanitize visitor-provided input to make sure it contains no malicious content or scripts. Cross-site scripting vulnerabilities let malicious users execute arbitrary HTML or script code in another visitor's browser.
Output:
The request string used to detect this flaw was : /cross_site_scripting.?nasl.asp The output was : HTTP/1.1 404 Not Found\r Date: Wed, 21 Mar 2012 08:12:02 GMT\r Server: Apache\r X-Pingback:http://?CLIENTSWEBSITE.com/?xmlrpc.php\r Expires: Wed, 11 Jan 1984 05:00:00 GMT\r Cache-Control: no-cache, must-revalidate, max-age=0\r Pragma: no-cache\r Set-Cookie: PHPSESSID=?1jsnhuflvd59nb4trtquston50; path=/\r Last-Modified: Wed, 21 Mar 2012 08:12:02 GMT\r Keep-Alive: timeout=15, max=100\r Connection: Keep-Alive\r Transfer-Encoding: chunked\r Content-Type: text/html; charset=UTF-8\r \r
<div id="contact-form" class="widget"><form action="http://?CLIENTSWEBSITE.c
om/<script>cross_site_?scripting.nasl</script>.asp" id="contactForm"
meth od="post">
It looks like it has an issue with the contact form. All the contact form does is posts an ajax request to the same page, and than a PHP script mails the data (no database stuff).
Is there any a security issues here? Any ideas on how I can satisfy the security scanner?
Here is the form and script:
<form action="<?php echo $this->getCurrentUrl(); ?>" id="contactForm" method="post">
<input type="text" name="Name" id="Name" value="" class="txt requiredField name" />
//Some more text inputs
<input type="hidden" name="sendadd" id="sendadd" value="<?php echo $emailadd ; ?>" />
<input type="hidden" name="submitted" id="submitted" value="true" /><input class="submit" type="submit" value="Send" />
</form>
// Some initial JS validation, if that passes an ajax post is made to the script below
//If the form is submitted
if(isset($_POST['submitted'])) {
//Check captcha
if (isset($_POST["captchaPrefix"])) {
$capt = new ReallySimpleCaptcha();
$correct = $capt->check( $_POST["captchaPrefix"], $_POST["Captcha"] );
if( ! $correct ) { echo false; die(); } else {
$capt->remove( $_POST["captchaPrefix"] );
}
}
$dateon = $_POST["dateon"];
$ToEmail = $_POST["sendadd"];
$EmailSubject = 'Contact Form Submission from ' . get_bloginfo('title');
$mailheader = "From: ".$_POST["Email"]."\r\n";
$mailheader .= "Reply-To: ".$_POST["Email"]."\r\n";
$mailheader .= "Content-type: text/html; charset=iso-8859-1\r\n";
$MESSAGE_BODY = "Name: ".$_POST["Name"]."<br>";
$MESSAGE_BODY .= "Email Address: ".$_POST["Email"]."<br>";
$MESSAGE_BODY .= "Phone: ".$_POST["Phone"]."<br>";
if ($dateon == "on") {$MESSAGE_BODY .= "Date: ".$_POST["Date"]."<br>";}
$MESSAGE_BODY .= "Message: ".$_POST["Comments"]."<br>";
mail($ToEmail, $EmailSubject, $MESSAGE_BODY, $mailheader) or die ("Failure");
echo true; die();
}
© Server Fault or respective owner