[ Dukidule @ 31.01.2006. 23:49 ] @
Pre svega da naglasim da sam apsolutni laik za PHP ali sam se ipak usudio da napravim prost skript koji mi salje mail sa forme:
Code:
<?
$website="www.sajt.net";
$youremail="[email protected]";

$sendersname=$_POST['sendersname'];
$sendersemail=$_POST['sendersemail'];
$sendersphone=$_POST['sendersphone'];
$message=$_POST['message'];

$messagetext="$sendersname just sent a message from our website,
 $website.\n\nTheir e-mail address was: $sendersemail and their phone: 
$sendersphone\n\nTheir message:\n\n $message";

if(mail($youremail,"$website website feedback",$messagetext,"From: $sendersemail\n")) {
header( "Location: http://$website/thankyou.php" );
} else {
header( "Location: http://$website/error.php" );
}
?>

Problem je u tome sto mi stize na stotine mailova iste sadrzine:
Citat:
From: --><script>alert(\'wvs-xss-magic-string-485586978\');</script>
Sent: 31 January 2006 20:58
To: [email protected]
Subject: www.sajt.net website feedback

1 just sent a message from our website, www.sajt.net.

Their e-mail address was: --> alert(\'wvs-xss-magic-string-485586978\'); and their phone: 1

Their message:

1

Kako da se zastitim od ovoga?
[ sale83 @ 01.02.2006. 09:28 ] @
CjWeb2Mail thankyou.php Multiple Variable XSS

http://www.osvdb.org/displayvuln.php?osvdb_id=19497


[ Dukidule @ 01.02.2006. 12:55 ] @
Citat:
sale83: CjWeb2Mail thankyou.php Multiple Variable XSS

http://www.osvdb.org/displayvuln.php?osvdb_id=19497

Dobro, ali kako da sprecim ovo? Da li su moguce neke izmene u onom PHP kodu koje bi onemogucile ovakve stvari?
[ Nemanja Avramović @ 01.02.2006. 13:16 ] @
Citat:
CJWeb2Mail contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'name', 'message' and 'ip' variables upon submission to the 'thankyou.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


Zaci treba da napravis validaciju forme koja ce proveravati validnost unete e-mail adrese i to je to. Potrazi na forumu ovde tu skripticu, bilo je govora o ovome. Takodje uradi strip_tags i jos neke poznate metode zastite od sql injection-a (mada ovo nije sql injection), a mozes i da ogranicis slanje maila na npr. 1 mail u roku od pola sata... mada, ako vise korisnika ima istu ip to moze da bude zeznuto... onda mozes da koristis sesije u istu svrhu, itd itd...