bemoi Posted November 8, 2006 Share Posted November 8, 2006 Hi All,Im Not A PhP Coder Myself But I Use Ready Made Codes To Make My Online Projects, SO, I Used An E-mail form for quite sometime wich was going so well until i recived that email from the guy that hosts the serverthe email goes like this>> There is a major security flaw in the code used in the contact >> form on Zarzora.com. The code allows spammers to send Spam email >> from the form which will appear to targeted users as Spam >> originating from Zarzora and its IP. The exploit was discovered >> and used extensively which led to the IP address being banned by a >> number of major networks. Since Zarzora is assigned a shared IP >> address, all my other clients sharing the same IP were banned as >> well.>>>> I had to suspend the site right away to stop spammers exploiting >> this vulnerability. Unfortunately this action will also disable >> critical services such as email. Please advise your web master to >> fix this issue as fast as possible and review the rest of the site >> for other potential problems and send me the fixed pages for upload.>>>> I will be moving you to a separate IP of your own.>>>> A.B.i used a very simple code to make my email form which is [code]<?$today = date("M d, Y");$recipient = "ask@zarzora.com";$subject = "Comments From Zarzora";$forminfo ="Name: $name\nE-mail: $email\nComments: $comments\nForm Submitted: $today\n\n";$formsend = mail("$recipient", "$subject", "$forminfo", "From: $email\r\nReply-to:$email");?>[/code]so what caused that problem, or is he just saying so??Advice needed please Quote Link to comment Share on other sites More sharing options...
bqallover Posted November 8, 2006 Share Posted November 8, 2006 Where is that $email variable coming from on the line:[code]E-mail: $email\n[/code]If it isn't being validated, it would be possible for a spammer to inject other email headers, hence sending to other recipients, by adding newlines (\r\n) on your comments form then adding whatever they like. You need to check that some form of email validation is being carried out on that variable, as well as perhaps stripping HTML tags from the comment itself, which will prevent any kind of scripting attack.It might be time to look for a new, more secure, script. :) Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.