bemoi Posted November 8, 2006 Share Posted November 8, 2006 Hi All,Im Not A PhP Coder Myself But I Use Ready Made Codes To Make My Online Projects, SO, I Used An E-mail form for quite sometime wich was going so well until i recived that email from the guy that hosts the serverthe email goes like this>> There is a major security flaw in the code used in the contact >> form on Zarzora.com. The code allows spammers to send Spam email >> from the form which will appear to targeted users as Spam >> originating from Zarzora and its IP. The exploit was discovered >> and used extensively which led to the IP address being banned by a >> number of major networks. Since Zarzora is assigned a shared IP >> address, all my other clients sharing the same IP were banned as >> well.>>>> I had to suspend the site right away to stop spammers exploiting >> this vulnerability. Unfortunately this action will also disable >> critical services such as email. Please advise your web master to >> fix this issue as fast as possible and review the rest of the site >> for other potential problems and send me the fixed pages for upload.>>>> I will be moving you to a separate IP of your own.>>>> A.B.i used a very simple code to make my email form which is [code]<?$today = date("M d, Y");$recipient = "[email protected]";$subject = "Comments From Zarzora";$forminfo ="Name: $name\nE-mail: $email\nComments: $comments\nForm Submitted: $today\n\n";$formsend = mail("$recipient", "$subject", "$forminfo", "From: $email\r\nReply-to:$email");?>[/code]so what caused that problem, or is he just saying so??Advice needed please Link to comment https://forums.phpfreaks.com/topic/26636-php-mail-form-help/ Share on other sites More sharing options...
bqallover Posted November 8, 2006 Share Posted November 8, 2006 Where is that $email variable coming from on the line:[code]E-mail: $email\n[/code]If it isn't being validated, it would be possible for a spammer to inject other email headers, hence sending to other recipients, by adding newlines (\r\n) on your comments form then adding whatever they like. You need to check that some form of email validation is being carried out on that variable, as well as perhaps stripping HTML tags from the comment itself, which will prevent any kind of scripting attack.It might be time to look for a new, more secure, script. :) Link to comment https://forums.phpfreaks.com/topic/26636-php-mail-form-help/#findComment-121840 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.