ethoemmes Posted September 18, 2006 Share Posted September 18, 2006 Hi,I have used the following script for about a year now but yesterday I started receiving a lot of emails in my email box (looks like someone has hacked this script to send spam)Can anyone spot any improvements I could make to it? It is called from the following pagehttp://rrbltd.co.uk/contact.htmThanksE[code] <?php session_start(); header("Cache-control: private"); $Title = $_POST['Title']; $FirstName = $_POST['FirstName']; $LastName = $_POST['LastName']; $Email = $_POST['Email']; $Comments = $_POST['Comments']; $AddToML = $_POST['AddToML']; $_SESSION['Title'] = $Title; $_SESSION['FirstName'] = $FirstName; $_SESSION['LastName'] = $LastName; $_SESSION['Email'] = $Email; $strMailTo = '[email protected]'; $strSubject = 'Enquiry from Website'; $strBody = "$Comments \n Received from \n $Title $FirstName $LastName \n $Email"; if (empty($FirstName) || empty($LastName) || empty($Email)) { header( "Location: form_error.php" ); } else { $From = "From: \"$FirstName $LastName\" <$Email>\nX-Mailer: PHP/" . phpversion(); mail ($strMailTo, $strSubject, $strBody, $From); if (isset($_POST['AddToML'])) { header( "Location: http://www.rrbltd.com/registration_form.htm" ); } else { header( "Location: http://www.rrbltd.com/contact_thanks.htm"); } } ?>[/code] Link to comment https://forums.phpfreaks.com/topic/21181-help-my-form-script-has-been-hacked/ Share on other sites More sharing options...
ronverdonk Posted September 18, 2006 Share Posted September 18, 2006 I am sorry for anyone reading this, but I don't want to cause more trouble for you or let anyone in on my tests and findings, so I have sent a separate email with the full text.Well, where to start? I tried your site and I could ........ (in separate email)To start with, you should filter ALL input from outside. ....... (in separate email)I also could enter ...... Also the likeable content and length of input fields: ......To sum it up: don't trust ANY input from outside and filter and validate all input and be aware of people who like to spend time to figure out how your email application works, so they can inject pieces of code to find that out.Then prevent double and more submissions of the same form. Robots tend to do that. Ar least verify that anyone who wants to submit is a real person and not a robot. So use a CAPTCHA for verification!There are plenty captcha samples around on the web, otherwise ask for it in this forum.Good luckRonald 8) Link to comment https://forums.phpfreaks.com/topic/21181-help-my-form-script-has-been-hacked/#findComment-94237 Share on other sites More sharing options...
kenrbnsn Posted September 18, 2006 Share Posted September 18, 2006 You should post you're findings here as an example of what can happen with unsecured email scripts. How the spammers are doing this has been public knowledge for at least a year. They hit my sites a year ago in one of the first wave of spam attempts. They are still hitting my sites, but they aren't succeeding.BTW, don't bother putting out any error messages when you get hit, the hits are usually being done via spambot programs and they don't care about errors.Ken Link to comment https://forums.phpfreaks.com/topic/21181-help-my-form-script-has-been-hacked/#findComment-94262 Share on other sites More sharing options...
ronverdonk Posted September 18, 2006 Share Posted September 18, 2006 Kenrbnsn: I fully agree normally, but his is a live site and I don't want anyone to hack him now. It is not only spamming but also js and header inclusion that worries me.Ronald 8) Link to comment https://forums.phpfreaks.com/topic/21181-help-my-form-script-has-been-hacked/#findComment-94263 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.