SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Member
    Join Date
    Jan 2006
    Posts
    9
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Angry Form being hijacked

    Plea for help.

    In the last couple of days my website contact form is being hijacked and utilised for sending spam out. This is being done by injecting bcc headers etc.

    I have included below our current processing form code, and yes i know from doing investigations it is rather vulnerable, but as a newbie i am at a complete loss as to what is required to fix it. The more i read about this issue and methods of resolution the more i get confused with precious little in the way of examples.

    The stripslashes have only just been added, so not sure what effect this will have, but other suggestions as to how to go about fixing this would be most appreciated.

    PHP Code:
    <?php
    $name 
    $_POST['name'];
    $company $_POST['company'];
    $phone $_POST['phone'];
    $email $_POST['email'];
    $through $_POST['through'];
    $comments $_POST['comments'];
    $subject $_POST['subject'];
    $courtesy $_POST['courtesy'];
    $message="Contact from = ".$name."\n";
    $message.="Company = ".$company."\n";
    $message.="Phone No = ".$phone."\n";
    $message.="Email = ".$email."\n";
    $message.="Through = ".$through."\n";
    $message.="Comments = ".$comments."\n";
    $headers="From: ".$email;
    mail(stripslashes("sales@???.com"),stripslashes($subject),stripslashes($message),stripslashes($headers));
    header("location:thanks.php");
    ?>
    Thanks in advance for the help.
    Last edited by nmutimer; May 18, 2007 at 01:06. Reason: spelling

  2. #2
    SitePoint Zealot manic's Avatar
    Join Date
    Dec 2001
    Location
    uk
    Posts
    138
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Validation, validation and did I mention validation??

    In a nutshell treat ALL user editable variables as pure EVIL! (forms, querystrings, cookies) because you can be sure as hell someone somewhere will try something dodgy at least once, and most of that is now automated so its not 1 load of crap its often much more.

    Its been a long time since I last played with php so I don't have any example code I can throw your way BUT the universal truth is code it so that only what you expect to go through does go through.

    for example... a numeric value IS actually numeric and nothing else
    Don't you just hate it when it works first time.

  3. #3
    SitePoint Member
    Join Date
    Jan 2006
    Posts
    9
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Cheers Manic, but that point has come across loud and clear from all the reading i have been doing, but what i am missing is the ability to code this, everything i have tried so far, either stops the form from working correctly or errors as the processing form wont complete and go to the thanks page.

  4. #4
    SitePoint Wizard silver trophy kyberfabrikken's Avatar
    Join Date
    Jun 2004
    Location
    Copenhagen, Denmark
    Posts
    6,157
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Everything, which comes from the user must be validated or filtered. That means anything coming from $_POST. In particular things that goes into header fields.

    Here's the long explanation:
    http://www.nyphp.org/phundamentals/e..._injection.php

    And here's the short:
    PHP Code:
    <?php
    if (get_magic_quotes_gpc()) {
      
    $_POST array_map('stripslashes'$_POST);
    }
    function 
    filter_email_header($input) {
      return 
    str_ireplace(Array( "\r""\n""%0a""%0d""Content-Type:""bcc:""to:" ,"cc:"), ""$input);
    }

    $message "Contact from = ".$_POST['name']."\n";
    $message .= "Company = ".$_POST['company']."\n";
    $message .= "Phone No = ".$_POST['phone']."\n";
    $message .= "Email = ".$_POST['email']."\n";
    $message .= "Through = ".$_POST['through']."\n";
    $message .= "Comments = ".$_POST['comments']."\n";

    $headers "From: ".filter_email_header($_POST['email']);
    $subject filter_email_header($_POST['subject'])

    mail("sales@???.com"$subject$message$headers);
    header("Location: thanks.php");
    exit;
    Last edited by kyberfabrikken; May 18, 2007 at 02:47.

  5. #5
    SitePoint Member
    Join Date
    Jan 2006
    Posts
    9
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    kyberfabrikken

    Mange tak, You are a saviour, i will implement it immediately, and hopefully tonight my email count will drop back to a more normal value

    nm


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •