Jump to content

Archived

This topic is now archived and is closed to further replies.

ethoemmes

Help, my form script has been hacked

Recommended Posts

Hi,

I have used the following script for about a year now but yesterday I started receiving a lot of emails in my email box (looks like someone has hacked this script to send spam)

Can anyone spot any improvements I could make to it? It is called from the following page

http://rrbltd.co.uk/contact.htm

Thanks

E

[code]
  <?php
  session_start();
  header("Cache-control: private");
 
  $Title = $_POST['Title'];
  $FirstName = $_POST['FirstName'];
  $LastName = $_POST['LastName'];
  $Email = $_POST['Email'];
  $Comments = $_POST['Comments'];
  $AddToML = $_POST['AddToML'];
 
  $_SESSION['Title'] = $Title;
  $_SESSION['FirstName'] = $FirstName;
  $_SESSION['LastName'] = $LastName;
  $_SESSION['Email'] = $Email;
 
  $strMailTo = 'Info@rrbltd.com';
  $strSubject = 'Enquiry from Website';
  $strBody = "$Comments \n
  Received from \n
  $Title $FirstName $LastName \n
  $Email";
 
  if (empty($FirstName) || empty($LastName) || empty($Email)) {
      header( "Location: form_error.php" );
    }
  else {
 
  $From = "From: \"$FirstName $LastName\" <$Email>\nX-Mailer: PHP/" . phpversion();
 
  mail ($strMailTo, $strSubject, $strBody, $From);
 
  if (isset($_POST['AddToML'])) {
 
  header( "Location: http://www.rrbltd.com/registration_form.htm" );
  }
  else {
  header( "Location: http://www.rrbltd.com/contact_thanks.htm");
  }
  }
  ?>
[/code]

Share this post


Link to post
Share on other sites
I am sorry for anyone reading this, but I don't want to cause more trouble for you or let anyone in on my tests and findings, so I have sent a separate email with the full text.

Well, where to start? I tried your site and I could ........ (in separate email)

To start with, you should filter ALL input from outside. ....... (in separate email)

I also could enter ......

Also the likeable content and length of input fields: ......

To sum it up: don't trust ANY input from outside and filter and validate all input and be aware of people who like to spend time to figure out how your email application works, so they can inject pieces of code to find that out.

Then prevent double and more submissions of the same form. Robots tend to do that. Ar least verify that anyone who wants to submit is a real person and not a robot. So use a CAPTCHA for verification!
There are plenty captcha samples around on the web, otherwise ask for it in this forum.

Good luck

Ronald   8)

Share this post


Link to post
Share on other sites
You should post you're findings here as an example of what can happen with unsecured email scripts. How the spammers are doing this has been public knowledge for at least a year. They hit my sites a year ago in one of the first wave of spam attempts. They are still hitting my sites, but they aren't succeeding.

BTW, don't bother putting out any error messages when you get hit, the hits are usually being done via spambot programs and they don't care about errors.

Ken

Share this post


Link to post
Share on other sites
Kenrbnsn: I fully agree normally, but his is a live site and I don't want anyone to hack him now. It is not only spamming but also js and header inclusion that worries me.

Ronald   8)

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.