ShorStew Posted March 2, 2007 Share Posted March 2, 2007 I was told by my web host (midphase, php version 5.1.6) that they had blocked access to one of my php scripts because "a spammer had used it to send thousands of emails." I don't believe this is possible, but I am fairly new at this, and since this forum has been so helpful in my learning, I thought that I'd aske. This script handles a single search string that will check for matches (in a MySQL database) in three fields (first name, last name, and email). This very script will the display all resulting matches. I can't believe that is is being used maliciously because: 1. It is in a password protected directory (using .htaccess) 2. There is no sendmail function in this script I apologize for posting the whole script, but I am really not sure where the security hole could be. In case it matters, register_globals is set to "on" and magic_quotes_gpc is set to "off/" <?php # Search for and retrieve participant data $page_title = 'xxxxxxxxx'; $page_location = 'Search for Participant'; include ('./includes/header.html'); if (empty ($_POST['search_string'])) { echo '<p>No Values Entered. Return to <a href="search_registrants.php">search page</a>.'; } else { $search_string = trim($_POST['search_string']); require_once ('./includes/mysql_connect.php'); $query = "SELECT fulldata.briusaid as id, last_name, first_name, email, trip_offering, appended.deposit as deposit FROM fulldata,appended LEFT JOIN trip ON fulldata.tripid = trip.tripid WHERE fulldata.briusaid=appended.briusaid AND (first_name LIKE '%$search_string%' OR last_name LIKE '%$search_string%' OR email LIKE '%$search_string%') ORDER BY last_name, first_name ASC"; $result = @mysql_query ($query); $num=mysql_num_rows($result); mysql_close(); if ($result) { echo '<p>Total number = ' .$num. ' <p><table> <tr><td> </td> <td><b>First Name</b></td> <td><b>Last Name</b></td> <td><b>Email</b></td> <td><b>Deposit</b></td> <td><b>Trip Offering</b></td></tr>'; while ($row = mysql_fetch_array($result, MYSQL_ASSOC)) { echo '<tr><td><a href="display_registrant.php?briusaid=' .$row['id']. '"><img src="./images/edit.jpg" border="0"></a></td> <td>' .$row['first_name']. '</td> <td>' .$row['last_name']. '</td> <td><a href="mailto:' .$row['email']. '">' .$row['email']. '</a></td> <td>' .$row['deposit']. '</td> <td>' .$row['trip_offering']. '</td></tr>'; } echo '</table>'; } else { echo mysql_error(); } } include ('./includes/footer.html'); ?> Quote Link to comment Share on other sites More sharing options...
pocobueno1388 Posted March 2, 2007 Share Posted March 2, 2007 Thats insane, I don't see anyway that could be used to scam though email. If they could then they could obviously scam with anyones script, they just chose yours. I'm no expert at security issues, but that looks like a harmless script to me. Quote Link to comment Share on other sites More sharing options...
jcbarr Posted March 2, 2007 Share Posted March 2, 2007 The only thing that I could think is that they were using some sort of SQL injection method to retrieve all the email addresses in your database and then executing their on script to send spam. This information comes from a user submitted form correct? I'm not sure how they would have accessed the form if it is in a password protected directory, but as we all know nothing is impossible really, and it could have possibly even been a member of the site, you never know. I would read up on SQL injection and take any needed steps to protect yourself from that first. Quote Link to comment Share on other sites More sharing options...
ShorStew Posted March 2, 2007 Author Share Posted March 2, 2007 Thanks for the help... The search string does come from a user submitted form (although there are a finite number of users (4) with access to the directory, and none of whom have the programming knowledge to successfully execute a SQL insertion. That said, I could be a little more careful by validating the input against such attacks. Quote Link to comment Share on other sites More sharing options...
genericnumber1 Posted March 2, 2007 Share Posted March 2, 2007 Security: Never.. EVER trust a user, even if it's you. Quote Link to comment Share on other sites More sharing options...
kenrbnsn Posted March 2, 2007 Share Posted March 2, 2007 I would ask your hosting company to provide proof. How did they determine it was this particular script? Ken Quote Link to comment Share on other sites More sharing options...
jcbarr Posted March 2, 2007 Share Posted March 2, 2007 I didn't even think about that, but that would be very hard to prove, or even figure out in my mind. Quote Link to comment Share on other sites More sharing options...
btherl Posted March 2, 2007 Share Posted March 2, 2007 I think they are having you on. Maybe they saw a lot of accesses to your script and a lot of emails, and put 2+2 together to make 5. Like the others said, mysql injection is the only vulnerability there. But given that it's password protected, even that is unlikely. register_globals is not great either, but you initialize all your variables before use, so that should be no problem. What about your includes? Are they plain html or are they php also? Quote Link to comment Share on other sites More sharing options...
redarrow Posted March 2, 2007 Share Posted March 2, 2007 This is your problam the people getting the email to activate there account can see there id in the url post back so therefore there tacking a guess to other users id to send them email or activate there account for them. encript the id of the user then decript on come back ok. echo '<tr><td><a href="display_registrant.php?briusaid=' .$row['id']. '"><img src="./images/edit.jpg" border="0"></a> Quote Link to comment Share on other sites More sharing options...
ShorStew Posted March 2, 2007 Author Share Posted March 2, 2007 Thanks again for everybody's input... I practically learned PHP from reading the tutorials and forums here! I requested "proof" from the host and they provided proof which implicated a different script (a simple mailform) that I had written when I was even more a newbie than I am now. Needless to say, it was vulnerable to header insertions (something I should have known to safeguard against through what i have read here). I will, however, use some of the tips here to make this script safer, even with the small number of users (I've proven to be my most unsafe user at times!). Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.