kyalee Posted August 9, 2008 Share Posted August 9, 2008 Hi all, I just wrote my very first PHP script ever. It's a simple mail form for use on my webpage along with a contact form. I'd love it if a few of you more experienced people would glance at it and let me know if there are any security vulnerabilities I'm overlooking. Thanks! <?php // PHP SCRIPT TO HANDLE CONTACT FORM include('header.inc'); // WHERE THE E-MAIL IS GOING $recipient = 'me@mysite.com'; //EMAIL SUBJECT $subject = 'Contact Form Submitted'; //WHAT THE EMAIL SAYS $msg = "New Contact Form Submitted with the following information: Name: $name Email: $email Phone #: $phone Comments: $comments"; //REQUIRED FIELD ERROR MESSAGE $error_required = "<p>You did not fill in all required fields. Please return to the contact form and try again.</p>"; //EMAIL FORMAT ERROR MESSAGE $error_email = "<p>The email address you entered is invalid. Please return to the contact form and try again.</p>"; //EMAIL SENT SUCESSFULLY MESSAGE $sucess_msg = "<p>Thank you for your interest. I will contact you with more information as soon as possible.</p>"; //CHECKING FOR REQUIRED FIELDS AND CORRECTLY FORMATED EMAIL if ((!$name) || (!$email) || (!$comments)) {echo $error_required; } elseif (!eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", $email)) {echo $error_email; } else { //MAILING FORM mail ($recipient, $subject, $msg, 'From: webmaster@website.com'); echo $sucess_msg; } include('footer.inc'); ?> Link to comment Share on other sites More sharing options...
darkfreaks Posted August 9, 2008 Share Posted August 9, 2008 do you have a link to the actual script where we can directly test ??? Edit: one thing i noticed is you could use strip_tags(),trim() in the phone and address field Link to comment Share on other sites More sharing options...
darkfreaks Posted August 9, 2008 Share Posted August 9, 2008 also for the phone adress could be verified like <?php $phone_number = $_POST['phone']; $pattern = '/^[\(]?(\d{0,3})[\)]?[\s]?[\-]?(\d{3})[\s]?[\-]?(\d{4})[\s]?[x]?(\d*)$/'; if (preg_match($pattern, $phone_number, $matches)) { // we have a match, dump sub-patterns to $matches $phone_number = $matches[0]; // original number $area_code = $matches[1]; // 3-digit area code $exchange = $matches[2]; // 3-digit exchange $number = $matches[3]; // 4-digit number $extension = $matches[4]; // extension } ?> Link to comment Share on other sites More sharing options...
kyalee Posted August 9, 2008 Author Share Posted August 9, 2008 The script can be seen in action here: http://www.astriawebdesign.com/contact.php I'm not at all used to giving out anything that could be used as identifying information on-line, but I guess I'll need to get over that if I'm going to have an on-line based business. *g* Link to comment Share on other sites More sharing options...
darkfreaks Posted August 9, 2008 Share Posted August 9, 2008 HTTP TRACE method is enabled on this web server. In the presence of other cross-domain vulnerabilities in web browsers, sensitive header information could be read from any domains that support the HTTP TRACE method. This vulnerability affects Web Server. The impact of this vulnerability Attackers may abuse HTTP TRACE functionality to gain access to information in HTTP headers such as cookies and authentication data. How to fix this vulnerability Disable TRACE Method on the web server. Apache Mod_SSL SSL_Util_UUEncode_Binary Stack Buffer Overflow Vulnerability This alert was generated using only banner information. It may be a false positive. A stack-based buffer overflow has been reported in the Apache mod_ssl module. This issue would most likely result in a denial of service if triggered, but could theoretically allow for execution of arbitrary code. The issue is not believed to be exploitable to execute arbitrary code on x86 architectures, though this may not be the case with other architectures. Affected mod_ssl versions (up to 2.8.17). This vulnerability affects mod_ssl. The impact of this vulnerability Denial of service and/or possible arbitrary code execution. How to fix this vulnerability Upgrade mod_ssl to the latest version. Apache Mod_SSL Log Function Format String Vulnerability This alert was generated using only banner information. It may be a false positive. A format string vulnerability has been found in mod_ssl versions older than 2.8.19. Successful exploitation of this issue will most likely allow an attacker to execute arbitrary code on the affected computer. Affected mod_ssl versions (up to 2.8.18). This vulnerability affects mod_ssl. The impact of this vulnerability Denial of service and/or possible arbitrary code execution. How to fix this vulnerability Upgrade mod_ssl to the latest version. Link to comment Share on other sites More sharing options...
darkfreaks Posted August 9, 2008 Share Posted August 9, 2008 Email address found One or more email addresses have been found on this page. The majority of spam comes from email addresses harvested off the internet. The spam-bots (also known as email harvesters and email extractors) are programs that scour the internet looking for email addresses on any website they come across. Spambot programs look for strings like myname@mydomain.com and then record any addresses found. The impact of this vulnerability Email addresses posted on Web sites may attract spam. How to fix this vulnerability http://evolt.org/article/Spam_Proofing_Your_Website/20/41849/ Link to comment Share on other sites More sharing options...
Recommended Posts