Email injection attack

[gtbikerider]

I'm getting email injection attacks on a CF server. (for background see

http://mkruger.cfwebtools.com/index.cfm?mode=alias&alias=email injection)

I want to abort the form processing if there's no form.email variable - or if it contains carraige returns. Does this code look right?


<cfif NOT isdefined ("form.emailaddress") OR find(chr(10),form.emailaddress) OR find(chr(13),form.emailaddress)>
<cfabort>
</cfif>

--
John

 

[pigsie]

That seems fine although from what I understand this type of attack is not really a problem for Coldfusion. I would also do a trim(len(form.emailaddress)) to ensure that the email address does exist but is blank - if you want more validation you could probably wrap it in a udf for readability something like

 <cfif isNotEmailInjection(form.emailAddress) .....

and have isNotEmailInjection do any validation you require

HTH

 

[TruthInSatire]

Pigsie has been pretty knowledgable with CF so i'm sure this is just a type-o, but you want the length of the string after it's been trimed, not the trimmed lengh of the string.

len(trim(form.emailaddress)) NOT trim(len(form.emailaddress))

MyVar = "this is my var "
len(trim(myvar)) will trim the string first removing the spaces, then getting the len of what is left giving you 14, the desired number

trim(len(myvar)) will count the length of the entire string first "17" then trim the value of "17", not the desired result.

We've heard that a million monkeys at a million keyboards could produce the complete works of Shakespeare; now, thanks to the Internet, we know that is not true.