Jump to content

PHP Mail Form Help

bemoi

By bemoi
in PHP Coding Help

 Share

Recommended Posts

bemoi Newbie

bemoi

Posted
Posted
Hi All,
Im Not A PhP Coder Myself But I Use Ready Made Codes To Make My Online Projects, SO, I Used An E-mail form for quite sometime wich was going so well until i recived that email from the guy that hosts the server

the email goes like this
>> There is a major security flaw in the code used in the contact 
>> form on Zarzora.com. The code allows spammers to send Spam email
>> from the form which will appear to targeted users as Spam 
>> originating from Zarzora and its IP. The exploit was discovered 
>> and used extensively which led to the IP address being banned by a 
>> number of major networks. Since Zarzora is assigned a shared IP 
>> address, all my other clients sharing the same IP were banned as 
>> well.>>>> I had to suspend the site right away to stop spammers exploiting 
>> this vulnerability. Unfortunately this action will also disable 
>> critical services such as email. Please advise your web master to 
>> fix this issue as fast as possible and review the rest of the site 
>> for other potential problems and send me the fixed pages for upload.
>>>> I will be moving you to a separate IP of your own.
>>>> A.B.

i used a very simple code to make my email form which is
[code]
<?
$today = date("M d, Y");
$recipient = "ask@zarzora.com";
$subject = "Comments From Zarzora";
$forminfo =
"Name: $name\n
E-mail: $email\n
Comments: $comments\n
Form Submitted: $today\n\n";

$formsend = mail("$recipient", "$subject", "$forminfo", "From: $email\r\nReply-to:$email");
?>
[/code]

so what caused that problem, or is he just saying so??
Advice needed please
Link to comment
Share on other sites
bqallover Newbie

bqallover

Posted
Posted
Where is that $email variable coming from on the line:

[code]
E-mail: $email\n
[/code]

If it isn't being validated, it would be possible for a spammer to inject other email headers, hence sending to other recipients, by adding newlines (\r\n) on your comments form then adding whatever they like. 

You need to check that some form of email validation is being carried out on that variable, as well as perhaps stripping HTML tags from the comment itself, which will prevent any kind of scripting attack.

It might be time to look for a new, more secure, script. :)

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.