Activism: RapidWeaver Contact Form vulnerability
RapidWeaver is a nice software for Mac OS X that allows people with no knowledge of HTML/CSS whatsoever to create very nice websites. (This website was created with RapidWeaver.) It comes with themes, page templates, etc. One of those page template is a PHP Contact Form. It has come to my attention (from the RealmacSoftware support forums) that the PHP code generated by RapidWeaver (version 3.2.1 or less) is vulnerable to mail header injection attacks. I created web pages in both french and english on how to temporarily fix this vulnerability until RealmacSoftware release RapidWeaver 3.5 which is supposed to close this issue. I also did a quick search on Google to find RW-created contact forms, and I tried to exploit them. Each successful exploit was then logged and a warning email was sent to the webmaster with links to RMS forums and to the above page on how to fix this vulnerability. I received a couple of negative answers about this, but I received much, much more positive replies, thanking me for the warning or asking me for help to implement the fix.
Why did I do this: I feel like when you have the resources and know-how needed to help people and make the Internet a better place, it’s never a bad idea to use them and act. That is, when time permit..!
References: Jelly & Custard, Email Header Injection in PHP, explains php mail() header injections, and why it’s uncool to not fix this.
Update RMS have finally published a fix for RW users: here‘s the forum post that discuss the new version of the Contact Form plugin (available for RW 3.2.1).