simple email script insecure?

[Blunderboy]

Ok, noobie question here. Can the following simple email script be easily hacked? (eg abused by spammers?)
The actual form is made in Flash.

<?php

$mail_to ="emailaddress@whateverblah.com";
$mail_subject = "subject";
$mail_body = "body stuff";

if(mail($mail_to, $mail_subject, $mail_body))
echo "Successfully sent e-mail \"$mail_subject\" to $mail_to.";
else echo "Failed to send e-mail \"$mail_subject\"."
?>

[gsoft]

You'll need some way of identifying if a user has submitted for form in xtime. For example i could spam that form by simply creating a new form have it directed to the mail page and use a cronjob to simply have it going on specified time intervals.

[Blunderboy]

You'll need some way of identifying if a user has submitted for form in xtime. For example i could spam that form by simply creating a new form have it directed to the mail page and use a cronjob to simply have it going on specified time intervals.

Wait a minute, a new form directed to the mail page? Can you please explain how you would do that? I want to use this simple contact form on a website, but if it's so easy to hack then obviously I won't.

[Gaheris]

It doesn't even have to be a form. Someone who wanted to abuse this simply has to write a script which sends a POST request to your script.


All he had to do would be to send the request for example like this.
Even checking the referer wouldn't help since it has been faked.

PHP Code:

<?php
$body  = 'This is our example spam mail';
$topic = 'FREE stuff';
$addresses = array(
    'foo@bar.com',
    'example@test.com',
    'spam@me.com'
);

foreach ($addresses as $email) {
    $fp = fsockopen('www.example.com', 80);
    if ($fp) {
        $query = 'email_body='.$body.'&email_to='.$email.'&email_subject='.$topic;
        $req   = "POST /scripts/email.php HTTP/1.0\r\n";
        $req  .= "Host: www.example.com\r\n";
        $req  .= "Referer: http://www.example.com/contact.html\r\n";
        $req  .= "Content-type: application/x-www-form-urlencoded\r\n";
        $req  .= "Content-length: ". strlen($query) ."\r\n";
        $req  .= "Connection: close\r\n\r\n";
        $req  .= $query;
        fwrite($fp, $req);
        
        $answer = '';
        while (!feof($fp)) {
            $answer .= fread($fp, 1024);
        }
        fclose($fp);
    } else {
        continue;
    }
    echo 'Successfully spammed ' . $email;
}
?>

[Blunderboy]

So it looks like I shouldn't use such a script. But if I did use this on a site, and it was to get hacked by a spammer, am I then the one held responsible?

[firepages]

when you display the form do a loadvariables() call in flash and load data from a .php file , in that file start a session with some unique value and pass it as a hidden field via your form , on the processing end check that the session id passed in the hidden field matches the one stord in the current session & off you go.

of course nothing is foolproof.