Dr. Hain's various/sundry has helpful information about things
that Dr. Hain has discovered by trial and error.
Contact forms are common web constructs that are used mainly to avoid "exposing" email addresses to the public internet, so as to reduce the frequency that one is spammed. There are examples of generic contact forms on the web. These generally consist of an html program to gather togther the needed information using forms, and a php program that takes the form data and converts it into an email. There are some serious security issues with this.
Security problems with contact forms
Similar to email in general, contact forms enables communication between two individuals or entities on the internet, and therefor is a a potential conduit for malware. The biggest problem with malware is that one can enter in links in any free text fields, that are then sent to to the recipiant, possibly through email. The links can be to pages containing malware that downloads injurious software.
For example, an individual hoping to induce a email recipient to click on a link, might put into any form text field, such as the "name field", a construction like "hack.com". Gmail converts constructions like hack.com, or fluffy-bunny.com, into links. An unwary recipient of this email might click on the link (in the name field), and download malware onto their computer.
There are several (theoretical) methods of reducing the risk.
- Detect links and delete them or make them otherwise harmless. Links include both:
- http* type constructions (both http and https)
- Anything that is of the form abc.xyz (which gmail may convert into an http type entity)
- Rather than emaling the contact, save it rather than emailing it, and view it from an separate application, typically a database. This has some pros and con's.
- This is safer than email as there is no active conversion into links (as happens in gmail)
- There is a possibility of sql injection, which is a threat to the remote mysql database.
- This requires a mechanism to view contacts stored remotely.
- Another possible method is to convert the message into a json attachment, email the attachment to a local computer, and load the data into a local database. While sql injection remains possible, a potential attacker would not be able to access local data.
Solutions and comments:
- There are many contact forms on the web. Most of these ignore the security problem. They are pretty but don't deal with the sanitizing problem.
- An example of a full featured but highly insecure contact form is the one generated by thesitewizard.com's Feedback Form Wizard 2.22.0. This form just collects text and emails it. The email can contain links. Don't use this as is.
- An example of a contact form that attempts to solve the link problems is here: It takes the approach of using the PHP stripslash function to remove explicit html references, and checking for non-alpha characters.
- This approach to detecting something like "https://gist.github.com/patotoma/8860726", which is the url of the contact form example, might fail should there be 3 slashes. An improvement on this would be to use a stronger stripslashes function. An example of this is found here: https://www.php.net/manual/en/function.stripslashes.php. Using this function seems like a good idea, as it is unlikely that a legit email would need to have any // in it.
- If the output of this form is just sent via email, it might fail due to the "abc.xyz" problem mentioned above, as gmail attempts to construct links from text like this.
December 13, 2020
, Timothy C. Hain, M.D.
All rights reserved.