I am interacting with a fellow web developer on which I am working some clients. One part of the current project is to add email client from a web-based form to your client's email through PHPMailer.
I have not used PHPMailer again and again with any issue, however, this developer has told me that they are 'hacking' to PHPMailer because of getting past instances on their server Do not want PHPMailer at
Please note that I use all the email systems that I use, I believe that I have to completely escape and clean as much as possible the input strings.
Here's the question:
- Is PHPMailer version 5.2.9 hacking especially possible?
- How is this possible?
- What can be done to secure PHPMailer in these instances?
Below is my current code that I want to use. This is my standard PHPMailer code, the exact code content I will insert into the above project.
"PHPMailerAutoload.php" is required; /// Version 5.2.8 $ Message = "The following inquiries about" $ member ['business name'] "sent" $ Member ['contname'] ": Inquirer name:". $ Name ", address of the inquirer:". $ ADR1 "" $ ADR2 "" $ Addr3 "" $ PINCODE "telephone number:". $ Tel ", email address:". $ Email ", the date in which they are interested:". $ Dates ", comments:". $ Comments "Note: This is an automated notification email for your records. Please do not respond to this email."; $ Mail = new PHPMailer (); $ Mail- & gt; Host = "localhost"; $ Mail- & gt; WordDrop = 78; $ Mail- & gt; Mailer = "SMTP"; $ Mail- & gt; From = "server@website.co.uk"; $ Mail- & gt; Senam = "website server"; /// This client is email and will not change. $ Mail & gt; AddAddress ("static@email-address.co.uk"); $ Mail- & gt; Subject = $ member ['business name'] "website inquiries"; $ Mail- & gt; Body = $ message; If (! $ Mail-> Send ()) {$ dispmsg = "Mailer error:" $ Mail & gt; ErrorInfo; } And {$ dispmsg = "Your email has been sent" $ member ['business name'] "which will soon be in touch with you."; } So repeat - are there any clear, obvious ways that this code can be hijacked to send spam?
I am the maintenance of PHPMailer; There are no vulnerabilities that I know about.
What they quoted is a problem with an email script, PHPMailer does not have any mail library can be misbehaving in this way if it is surrounded by bad code. The common mistake of matching the script is allowing an arbitrary message to be sent to an arbitrary address - known as spam gateway. This is not the work of PHPMailer to prevent this, nor is it the case to do so.
PHPMailer does not have much chance to hack because it is not directly connected to the client, only while processing other scripts indirectly, so it is a small attack surface. The main thing in email hacking is that header injection attacks, for example, make a simple $ subject = $ _POST ['subject'] and using that unfiltered PHPMailer specifically with that type of attack Saves.
If your code has not been filtered to the output, your code may be unsafe for XSS.
$ member ['bizname'] > BTW, for any special reason, are you using the old version?
No comments:
Post a Comment