Illegal characters in POST. Possible email injection attempt error

1 Views

Struggling with this one.

I have set up a basic email/enquiry form for a client using WordPress (Fast secure contact form – Mike Challis, which I’ve used before with no problem).

Read More

I tested it with various emails – got others to test – All fine.

Passed on to client for approval and his email address (two of them) create the error: Illegal characters in POST. Possible email injection attempt

One is a BT email the other is Gmail. I have tested again with BT and Gmail all fine for my addresses – I try his again and the same error.

I did have the account password protected while testing so disabled that to see if that was the problem but makes no difference.

There’s quite a bit of code so I won’t paste it yet as someone my know instantly why this would be.

My original form had some customisations (only visual) but even when going back the simplest new install of the plugin, same error – only with clients email addresses. Embarrassing.

Would really appreciate your hunches.

Thanks

Post Views: 1

Related posts

Leave a Reply

1 comment

  1. I’ve found this code in the plugin (line 1433 and onwards in the latest wordpress plugin version):

    // check posted input for email injection attempts
// Check for these common exploits
// if you edit any of these do not break the syntax of the regex
$input_expl = "/(content-type|mime-version|content-transfer-encoding|to:|bcc:|cc:|document.cookie|document.write|onmouse|onkey|onclick|onload)/i";
// Loop through each POST'ed value and test if it contains one of the exploits fromn $input_expl:
foreach($_POST as $k => $v){
    if (is_string($v)){
        $v = strtolower($v);
        $v = str_replace('donkey','',$v); // fixes invalid input with "donkey" in string
        $v = str_replace('monkey','',$v); // fixes invalid input with "monkey" in string
        if( preg_match($input_expl, $v) ){
            return __('Illegal characters in POST. Possible email injection attempt', 'si-contact-form');
        }
    }
}

    The error occurs when at least one of the posted fields contain an ‘invalid’ value anywhere in the string. The most likely candidates that trigger this error on email addresses would seem to be onmouse, onkey, onclick, and onload. (Note that the words ‘donkey’ and ‘monkey’ are allowed.) You should check the value of $v just before the return statement so you can determine which section causes the error, then you can decide how to solve the problem.

            if( preg_match($input_expl, $v) ){
            var_dump($v); exit(); // <-- add this for testing
            return __('Illegal characters in POST. Possible email injection attempt', 'si-contact-form');
        }