Login/Register
How secure can a PHP-driven HTML contact form using Swiftmailer be?
Asked Answered
phpsecurityswiftmailercontact-formemail
G

1

7

I have a PHP driven HTML contact form on my site. Currently I use the PHP mail() function. Because of that I have to do many user input validation to avoid email header injection attacks. I think I'm secure, but I probably forgot something and I want to move to a solid PHP email library. The library I selected is Swiftmailer.

Now I want to check if Swiftmailer address the following:

  1. Removes or escape < and > characters in sender names.
  2. Removes newlines (\n, \r\n...) from sender names.
  3. Removes or escape newlines from email subject.
  4. Normalize newlines in message body (the content of the email). As per the PHP docs, \n should be used in content and \r\n as email headers separator.

PS: I tried to contact the Swiftmailer team with my questions without success so I'm trying here.

Edit:

I did some test cases with Swiftmailer and this is what I found so far:

  1. When you have a < or > in the name of a sender, you get a Undeliverable email error mail. This can somewhat lead in a DOS attack of your mail server (maybe I'm wrong). Is this normal?!
  2. The newlines are escaped so the injection attack fails.
  3. The newlines are escaped so the injection attack fails.
  4. Tested but I'm unable to see what Swiftmailer do (if it does something). So I'm still in the dark here.

Can someone clarify #1 and #4 for me? I'm not sure if it's normal behavior...

Grafting answered 6/7, 2011 at 19:20 Comment(4)
You can always look through the code... Swiftmailer is just a PHP script, after all. If you're this paranoid about vulnerabilities, you'd probably want to be auditing any external libraries anyways.Suwannee
Protect from header injection attacks without stripping request data content (from the homepage) and from a rough scan through the code I would assume that if you pass in anything that's not valid, you'll get an exception instead of a silent acceptance.Harhay
It seems that as long as you strip \n and \r from any user submitted headers, and wordwrap($message, 70), you should be okay. what's the deal with stripping < and > from sender names? I would be very interested to know what type of hack these characters leave you open to. Any info is greatly appreciated.Alain
@Alain See my "Edit" paragraph. Not sure why I added this validation in my code, but if I remember correctly it's because it can breaks some mail servers. With Swiftmailer I have a sysadmin "Undeliverable email" email message which can lead IMHO in a DOS attack on your mailserver (or inbox).Grafting
C
1

EDIT: This answer may be obsolete. At the time I wrote this, there were some problems with the SwiftMailer library. At this point, everything is working fine with the SwiftMailer and is considered to be the better library with a lot more to offer than PHPMailer.

I would suggest you use phpmailer. It is one of the most stable mailing libraries I've ever used. Here's an example code that should be working:

include("./phpmailer/class.phpmailer.php");
$mail = new PHPMailer(false); // the true param means it will throw exceptions on errors, which we need to catch
$mail->IsSMTP();
$mail->Host = "YourDomainName.com";
$mail->SMTPDebug = 2;
$mail->SMTPAuth = true;
$mail->SMTPSecure = "tls";
$mail->Host = "YourSMTPMailServer.com";
$mail->Port = 587;
$mail->Username = "[email protected]";
$mail->Password = "password"; // GMAIL password
$mail->AddAddress("[email protected]", '<< >> ! " Receiver Name');
$mail->SetFrom('[email protected]', '<< >> ! " Sender Name');
$mail->Subject = "A testing subject";
$mail->AltBody = 'To view the message, please use an HTML compatible email viewer!';
$mail->MsgHTML('This is my <b>html</b> testing email, sent '.time());
$mail->Send();

You'll need to configure this so that it connects to your email server but it should be working. Phpmailer escapes so far everything I've tried. The only I'm checking is "[email protected]". I do it with this code:

$email = "[email protected]";
$email = filter_var(filter_var($email,FILTER_SANITIZE_EMAIL),FILTER_VALIDATE_EMAIL);

if($email){
    echo "This email is valid!";
} else {
    echo "This email is INVALID!";
}

I hope this helps :)

Crotch answered 7/7, 2011 at 16:7 Comment(2)
Yeah I know PHPMailer very well as I used it a couple of years. I just don't like how this one works. The docs/tutorials are also outdated of their very own website! I just prefer Swiftmailer since it's backed by Fabien Potencier/symphony.Grafting
@Grafting I'm using SwiftMailer all the time -- so far no issues at all although I do validate usernames/emails in advance anyway and such <> chars will be removed long time before it reaches mailer.Mensurable

© 2022 - 2024 — McMap. All rights reserved.