system plan « jordy’s dmt weblog

system plan

10May08

first, heres a link to my system plan from last week. The weak part of it is the lack of any meaningful personas… <whinge> as far as the ‘real world’ goes my project is vaguely plausible but I haven’t really put a lot of effort into justifying it (aiming it at real users, finding a market blah blah.) i thought the point of this subject was to demonstrate technologies, not to create a finished, publicly releasable project.. why bother with personas? </whinge>

I’ll probably end up adding some for the final version anyway.

GetId3()

Other things I’ve been working on: I discovered getID3(); a php library which, amongst other things, extracts information directly from the ID3 tag of an MP3. It would be great to add this to my project and cut out all the tediousness that admins would be forced to deal with when entering music information manually into the database. Also its open source / GPL:) and I’m pretty sure i don’t need anything other than basic user access to the server to implement.
If i can find the time i will add this in…

upload_max_size

I also discovered that a setting in php, upload_max_size, is set to 2MB by default. Not having access to the php.ini file i can’t change that, and frankly, I don’t think the uni admins would be to pleased with me sucking up their bandwidth. I will likely re-encode some old mp3’s down to 16kbps or there abouts for the purposes of testing.

PHP email injection

So, last week I was messing about trying to learn php and using the mail() function and building a contact form. I learned that that there are flaws in the way php handles input that can allow users to ‘hijack’ online email forms and get them to mass spam third parties.

The way this is done is that spammers enter extra line feed and carriage returns into one of the header fields of your email form, usually in the “to” or “subject” field that your form provides. Not in the actual form but in the url they submit such as http://www.yoursite.com/yourform.php?to=variable&from=variable etc etc.

After sneakily inserting extra lines they write their own to, cc and bcc etc headers with a list of addresses they intend to spam, and when php’s mail() function attempts to send it assigns these to the actually email header. for example a legit email from a contact form might read:

to: admin@website.com
subject: help me!
from: someuser@website.com

message: help, I can’t change my settings on your site!

but the same hijacked email would look like this if passed a spurious variable in the url eg:

anonymous%40spam.com%0ACcc%3avictim%40site.com%0ABcc%3aanothervictim%40site.com%2cyetanothervictim%40site.com%0ACto%3anewvictim%40site.com

to: admin@website.com
from: anonymous@spam.com
cc: victim@site.com
bcc: anothervictim@site.com, yetanothervictim@site.com
to:newvictim@site.com

subject: buy some v*agra!

So, the spammer by exploiting the way php handles CR/LF instructions adds in his/her own cc and bcc fields (or even a second ‘to’ field as above), meaning our contact page and our mail server are suddenly spewing emails about v*agra and replica watches all over the internet. BAD.

(%0A %0d are LF/CF instructions.)

The way to get around this is to add in some PHP to ’sanitise’ the user input. That is, string match and strip any of the offending characters listed above.

Here’s an example fix taken from securephpwiki.com
<?php $from = $_POST["sender"]; //looks at the from input from our contact form $from = urldecode($from); //decode url encoded string (transform %0A %0d to \r or \n)? if (eregi("(\r|\n)", $from)) { //looks for strings \r or \n, php cr and lf die("Why ?? "); //if found end and return a string 'why ?? ' } ?>
I’m glad to have found out about this before using it in a real world project, having a spammer or a bot hijack a form on a legitimate website would be poisonous for that business. (they’d probably be blacklisted eventually)