Jump to content


Photo

Help, my form script has been hacked


  • Please log in to reply
3 replies to this topic

#1 ethoemmes

ethoemmes
  • Members
  • Pip
  • Newbie
  • 4 posts

Posted 18 September 2006 - 07:33 PM

Hi,

I have used the following script for about a year now but yesterday I started receiving a lot of emails in my email box (looks like someone has hacked this script to send spam)

Can anyone spot any improvements I could make to it? It is called from the following page

http://rrbltd.co.uk/contact.htm

Thanks

E

  <?php
  session_start();
  header("Cache-control: private");
  
  $Title = $_POST['Title'];
  $FirstName = $_POST['FirstName'];
  $LastName = $_POST['LastName'];
  $Email = $_POST['Email'];
  $Comments = $_POST['Comments'];
  $AddToML = $_POST['AddToML'];
  
  $_SESSION['Title'] = $Title;
  $_SESSION['FirstName'] = $FirstName;
  $_SESSION['LastName'] = $LastName;
  $_SESSION['Email'] = $Email;
  
  $strMailTo = 'Info@rrbltd.com';
  $strSubject = 'Enquiry from Website';
  $strBody = "$Comments \n
  Received from \n
  $Title $FirstName $LastName \n
  $Email";
  
  if (empty($FirstName) || empty($LastName) || empty($Email)) {
      header( "Location: form_error.php" );
    }
  else {
  
  $From = "From: \"$FirstName $LastName\" <$Email>\nX-Mailer: PHP/" . phpversion();
  
  mail ($strMailTo, $strSubject, $strBody, $From);
  
  if (isset($_POST['AddToML'])) {
  
  header( "Location: http://www.rrbltd.com/registration_form.htm" );
  }
  else {
  header( "Location: http://www.rrbltd.com/contact_thanks.htm");
  }
  }
  ?>


#2 ronverdonk

ronverdonk
  • Members
  • PipPipPip
  • Advanced Member
  • 277 posts
  • LocationNetherlands

Posted 18 September 2006 - 09:40 PM

I am sorry for anyone reading this, but I don't want to cause more trouble for you or let anyone in on my tests and findings, so I have sent a separate email with the full text.

Well, where to start? I tried your site and I could ........ (in separate email)

To start with, you should filter ALL input from outside. ....... (in separate email)

I also could enter ......

Also the likeable content and length of input fields: ......

To sum it up: don't trust ANY input from outside and filter and validate all input and be aware of people who like to spend time to figure out how your email application works, so they can inject pieces of code to find that out.

Then prevent double and more submissions of the same form. Robots tend to do that. Ar least verify that anyone who wants to submit is a real person and not a robot. So use a CAPTCHA for verification!
There are plenty captcha samples around on the web, otherwise ask for it in this forum.

Good luck

Ronald   8)
RTFM is an almost extinct art form, it should be subsidized.

#3 kenrbnsn

kenrbnsn
  • Staff Alumni
  • Advanced Member
  • 8,235 posts
  • LocationHillsborough, NJ, USA

Posted 18 September 2006 - 10:23 PM

You should post you're findings here as an example of what can happen with unsecured email scripts. How the spammers are doing this has been public knowledge for at least a year. They hit my sites a year ago in one of the first wave of spam attempts. They are still hitting my sites, but they aren't succeeding.

BTW, don't bother putting out any error messages when you get hit, the hits are usually being done via spambot programs and they don't care about errors.

Ken

#4 ronverdonk

ronverdonk
  • Members
  • PipPipPip
  • Advanced Member
  • 277 posts
  • LocationNetherlands

Posted 18 September 2006 - 10:29 PM

Kenrbnsn: I fully agree normally, but his is a live site and I don't want anyone to hack him now. It is not only spamming but also js and header inclusion that worries me.

Ronald   8)
RTFM is an almost extinct art form, it should be subsidized.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users