Hi Gerald,
> Maybe a soution to php email scripts???
>
> http://www.nyphp.org/phundamentals/email_header_injection.php
Yes, of course. Filtering all user submitted input with a fine toothed comb
and sanitizing variables is good practice that every programmer should
follow.
Problem is: People are lazy. So are programmers. Many don't scruitinize the
input at all, or not too strictly enough. Even "big" popular scripts which
are in widespread usage don't do that. Matt Wright's FormMail is a prime
example of bad coding. Or phpNuke. Still, there are plenty of people who use
those scripts, because they think that thousands of lemmings can't be wrong.
Or because they don't know better. phpBB is another very popular project,
which for a long time had similar issues and a track history of frequent
exploits. But at least they're on their toes fixing bugs and trying not to
let new ones slip in. Personally I still wouldn't touch it with a 10 feet
pole, though.
But even then - PHP security is always twofold: Server side settings on one
hand. And using scripts which were coded by responsible and trusted people.
Those two sides should go hand in hand. Problem is: Just too many people run
their servers with the two unsafest settings there are: "Safe_Mode = Off"
and "register_globals = On". When that's done, pretty much all bets are off
anyway.
It gets especially tricky when people do offer shared hosting for money. If
the client can't run this script that he "downloaded somewhere" and
which "everyone else is using, too" - because you insist on "Safe_Mode = On"
and the script wants it off - then he might take his money elsewhere.
So yeah, this is a sad story, but for every user that we can convert to using
safer scripts the internet will get a slightly better place.
--
With best regards,
Michael Stauber