Do email forms need to be santized before sending?
- by levi
I have a client that keeps getting reports from godaddy's "websiteprotection.com" stating how the website is insecure.
Your website contains pages that do not properly sanitize
visitor-provided input to make sure it contains no malicious content
or scripts. Cross-site scripting vulnerabilities let malicious users
execute arbitrary HTML or script code in another visitor's browser.
Output:
The request string used to detect this flaw was :
/cross_site_scripting.?nasl.asp The output was :
HTTP/1.1 404 Not Found\r Date: Wed, 21 Mar 2012 08:12:02 GMT\r Server:
Apache\r X-Pingback:http://?CLIENTSWEBSITE.com/?xmlrpc.php\r Expires:
Wed, 11 Jan 1984 05:00:00 GMT\r Cache-Control: no-cache,
must-revalidate, max-age=0\r Pragma: no-cache\r Set-Cookie:
PHPSESSID=?1jsnhuflvd59nb4trtquston50; path=/\r Last-Modified: Wed, 21
Mar 2012 08:12:02 GMT\r Keep-Alive: timeout=15, max=100\r Connection:
Keep-Alive\r Transfer-Encoding: chunked\r Content-Type: text/html;
charset=UTF-8\r \r
<div id="contact-form" class="widget"><form action="http://?CLIENTSWEBSITE.c
om/<script>cross_site_?scripting.nasl</script>.asp" id="contactForm"
meth od="post">
It looks like it has an issue with the contact form. All the contact form does is posts an ajax request to the same page, and than a PHP script mails the data (no database stuff).
Is there any a security issues here? Any ideas on how I can satisfy the security scanner?
Here is the form and script:
<form action="<?php echo $this->getCurrentUrl(); ?>" id="contactForm" method="post">
<input type="text" name="Name" id="Name" value="" class="txt requiredField name" />
//Some more text inputs
<input type="hidden" name="sendadd" id="sendadd" value="<?php echo $emailadd ; ?>" />
<input type="hidden" name="submitted" id="submitted" value="true" /><input class="submit" type="submit" value="Send" />
</form>
// Some initial JS validation, if that passes an ajax post is made to the script below
//If the form is submitted
if(isset($_POST['submitted'])) {
//Check captcha
if (isset($_POST["captchaPrefix"])) {
$capt = new ReallySimpleCaptcha();
$correct = $capt->check( $_POST["captchaPrefix"], $_POST["Captcha"] );
if( ! $correct ) { echo false; die(); } else {
$capt->remove( $_POST["captchaPrefix"] );
}
}
$dateon = $_POST["dateon"];
$ToEmail = $_POST["sendadd"];
$EmailSubject = 'Contact Form Submission from ' . get_bloginfo('title');
$mailheader = "From: ".$_POST["Email"]."\r\n";
$mailheader .= "Reply-To: ".$_POST["Email"]."\r\n";
$mailheader .= "Content-type: text/html; charset=iso-8859-1\r\n";
$MESSAGE_BODY = "Name: ".$_POST["Name"]."<br>";
$MESSAGE_BODY .= "Email Address: ".$_POST["Email"]."<br>";
$MESSAGE_BODY .= "Phone: ".$_POST["Phone"]."<br>";
if ($dateon == "on") {$MESSAGE_BODY .= "Date: ".$_POST["Date"]."<br>";}
$MESSAGE_BODY .= "Message: ".$_POST["Comments"]."<br>";
mail($ToEmail, $EmailSubject, $MESSAGE_BODY, $mailheader) or die ("Failure");
echo true; die();
}