ethoemmes Posted September 18, 2006 Share Posted September 18, 2006 Hi,I have used the following script for about a year now but yesterday I started receiving a lot of emails in my email box (looks like someone has hacked this script to send spam)Can anyone spot any improvements I could make to it? It is called from the following pagehttp://rrbltd.co.uk/contact.htmThanksE[code] <?php session_start(); header("Cache-control: private"); $Title = $_POST['Title']; $FirstName = $_POST['FirstName']; $LastName = $_POST['LastName']; $Email = $_POST['Email']; $Comments = $_POST['Comments']; $AddToML = $_POST['AddToML']; $_SESSION['Title'] = $Title; $_SESSION['FirstName'] = $FirstName; $_SESSION['LastName'] = $LastName; $_SESSION['Email'] = $Email; $strMailTo = 'Info@rrbltd.com'; $strSubject = 'Enquiry from Website'; $strBody = "$Comments \n Received from \n $Title $FirstName $LastName \n $Email"; if (empty($FirstName) || empty($LastName) || empty($Email)) { header( "Location: form_error.php" ); } else { $From = "From: \"$FirstName $LastName\" <$Email>\nX-Mailer: PHP/" . phpversion(); mail ($strMailTo, $strSubject, $strBody, $From); if (isset($_POST['AddToML'])) { header( "Location: http://www.rrbltd.com/registration_form.htm" ); } else { header( "Location: http://www.rrbltd.com/contact_thanks.htm"); } } ?>[/code] Quote Link to comment Share on other sites More sharing options...
ronverdonk Posted September 18, 2006 Share Posted September 18, 2006 I am sorry for anyone reading this, but I don't want to cause more trouble for you or let anyone in on my tests and findings, so I have sent a separate email with the full text.Well, where to start? I tried your site and I could ........ (in separate email)To start with, you should filter ALL input from outside. ....... (in separate email)I also could enter ...... Also the likeable content and length of input fields: ......To sum it up: don't trust ANY input from outside and filter and validate all input and be aware of people who like to spend time to figure out how your email application works, so they can inject pieces of code to find that out.Then prevent double and more submissions of the same form. Robots tend to do that. Ar least verify that anyone who wants to submit is a real person and not a robot. So use a CAPTCHA for verification!There are plenty captcha samples around on the web, otherwise ask for it in this forum.Good luckRonald 8) Quote Link to comment Share on other sites More sharing options...
kenrbnsn Posted September 18, 2006 Share Posted September 18, 2006 You should post you're findings here as an example of what can happen with unsecured email scripts. How the spammers are doing this has been public knowledge for at least a year. They hit my sites a year ago in one of the first wave of spam attempts. They are still hitting my sites, but they aren't succeeding.BTW, don't bother putting out any error messages when you get hit, the hits are usually being done via spambot programs and they don't care about errors.Ken Quote Link to comment Share on other sites More sharing options...
ronverdonk Posted September 18, 2006 Share Posted September 18, 2006 Kenrbnsn: I fully agree normally, but his is a live site and I don't want anyone to hack him now. It is not only spamming but also js and header inclusion that worries me.Ronald 8) Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.