Web forms that have not been secured are vulnerable to having data injected into the INPUT fields of the form.
These INPUT form elements can either be hidden or visible on the webpage that they are located. A first order defense against abuse would be to rename the INPUT elements to non-standard names. You cannot rename the SUBMIT element as that has special meaning for the processing of the form - it is this field that initiates the processing of the mail form - as such it contains no data.
Common names for email forms are From (Mail.Form), To (Mail.To), FromName, AddAddress and Subject. The ones that are especially important are the UserName and Password elements, these need to be maintained as they are required by the mail command on the server to authenticate the email message.
The page that the example above was taken from goes on to explain the processing of the data contained on the form and the conditions that need to be fulfilled.
If there is an error in the way that the data or the form is configured the result can range from the email not being sent to the contents of the form, including the hidden fields, passwords and user names being echoed back to the users screen.
What I was seeing on my forms
The forms that I was trying to implement were those that sent emails back to me in response to activity on my website. This was before I was able to monitor my server logs or use Google Analytics.
As the emails were supposed to be sent to me I was very aware when data was injected into the forms. If I was not sending the emails to myself I may not have even noticed that anything was was going wrong. The fact that a form on your website could be being used by a hacker to spam other Internet users is both disturbing and irresponsible.
What I was seeing that there was random data injected into subject and content fields. This data could be similar to that seen in a lot of spam that we all get on a daily basis.
Links:
These INPUT form elements can either be hidden or visible on the webpage that they are located. A first order defense against abuse would be to rename the INPUT elements to non-standard names. You cannot rename the SUBMIT element as that has special meaning for the processing of the form - it is this field that initiates the processing of the mail form - as such it contains no data.
Common names for email forms are From (Mail.Form), To (Mail.To), FromName, AddAddress and Subject. The ones that are especially important are the UserName and Password elements, these need to be maintained as they are required by the mail command on the server to authenticate the email message.
 |
| This is an example taken from http://www.netheaven.com/email.html |
If there is an error in the way that the data or the form is configured the result can range from the email not being sent to the contents of the form, including the hidden fields, passwords and user names being echoed back to the users screen.
What I was seeing on my forms
The forms that I was trying to implement were those that sent emails back to me in response to activity on my website. This was before I was able to monitor my server logs or use Google Analytics.
As the emails were supposed to be sent to me I was very aware when data was injected into the forms. If I was not sending the emails to myself I may not have even noticed that anything was was going wrong. The fact that a form on your website could be being used by a hacker to spam other Internet users is both disturbing and irresponsible.
What I was seeing that there was random data injected into subject and content fields. This data could be similar to that seen in a lot of spam that we all get on a daily basis.
Links:
No comments:
Post a Comment