|
#1
09-05-2005, 08:13 PM
|
||||
|
||||
Can you secure Forms with SSL?
I just started learning to use forms with phpFormGenerater. If I use a seperate SSL page for the contact form is it protected from the Spamming Zombies we are warned about in the thread from 08-30-05? http://forums.hostgator.com/showthread.php?t=4773
If not, can you explain a bit? I am learning. Thanks, Leo
__________________
 duane@coportdesign.comhttp://www.coportdesign.com http://www.HopOnHosting.com What is the difference between genius and stupidity? Genius has limits. - Albert Einstein. 
|
|
#2
09-06-2005, 10:18 AM
|
|||
|
|||
|
Re: Can you secure Forms with SSL?
No, SSL won't help. Unless you password-protect your contact form, which seems oxymoronic.
Have you read the links in the mentioned thread which explain what is being exploited? If not, see: http://securephp.damonkohler.com/ind...mail_Injection and http://www.anders.com/cms/75/Crack.Attempt/Spam.Relay To paraphrase, by embedding carriage-return characters into form fields that are passed, without safety checking, to PHP's mail( ) function, the mail( ) function and SMTP protocol can be tricked into sending mail to recipients other than those to which you intend. A legitimate browser user of your forms can't embed a carriage return into an <input type="text"> form field. But a mailicious spammer can stuff ANY data into your server by masquerading as a browser. (HTTP and the web are all built on very simple character-based protocols between socket connections.) The simple fix for this particular exploit is to cleanse any CR characters from the user's entries in the to:, from:, and subject: fields. It also makes sense to zap any LF or NUL characters as well. Note that you DON'T want to strip CR/LF's from the field containing the body of your email. The mail message body cannot be exploited in this way anyway, and doing so will make for difficult to read run-on messages. Btw, ALL user form response data should be sanitized, in ways appropriate its downstream use, to eliminate similar exploits. This is covered briefly in the official PHP documentation and in much greater depth in every PHP textbook I've seen. If you rely on PHP scripts, you should know some PHP! And don't skip the security chapter. As for your question about SSL, using SSL for forms is necessary if the data you are exchanging is sensitive, e.g. SSN's or credit card numbers. But it is overkill for the average "contact" form, and, in fact, would NOT prevent this particular exploit. If you don't secure your mail( ) forms, you may well become an unwitting spam forwarder, which will get our SHARED servers blacklisted. In which case you deserve to be booted from the neighborhood. So secure those mail( ) forms! The PHP code that I posted in the other thread (4773) WILL solve this problem. You will still see the spammer's probes, but they will be stopped from going anywhere except your intended recipient. Seeing the probes keeps you informed of the attempts. If the probes increase to the point of annoyance, I'll also post a version which will just cease processing if the fields contain CR's.
|
 |
| Bookmarks |
«
Previous Thread
|
Next Thread
»
| Thread Tools | |
|
|
All times are GMT -5. The time now is 11:04 PM.