Security Problems with Search Form

[ShorStew]

I was told by my web host (midphase, php version 5.1.6) that they had blocked access to one of my php scripts because "a spammer had used it to send thousands of emails." I don't believe this is possible, but I am fairly new at this, and since this forum has been so helpful in my learning, I thought that I'd aske.

 

This script handles a single search string that will check for matches (in a MySQL database) in three fields (first name, last name, and email). This very script will the display all resulting matches.

 

I can't believe that is is being used maliciously because:

1. It is in a password protected directory (using .htaccess)

2. There is no sendmail function in this script

 

I apologize for posting the whole script, but I am really not sure where the security hole could be. In case it matters, register_globals is set to "on" and magic_quotes_gpc is set to "off/"

 

 

<?php # Search for and retrieve participant data
$page_title = 'xxxxxxxxx';
$page_location = 'Search for Participant';
include ('./includes/header.html');

   	  if (empty ($_POST['search_string'])) {
  echo '<p>No Values Entered. Return to <a href="search_registrants.php">search page</a>.';
} else {
	$search_string = trim($_POST['search_string']);
	require_once ('./includes/mysql_connect.php');

	$query = "SELECT fulldata.briusaid as id, last_name, first_name, email, trip_offering, appended.deposit as deposit
		   	  FROM fulldata,appended 
			  LEFT JOIN trip ON fulldata.tripid = trip.tripid
			  WHERE fulldata.briusaid=appended.briusaid
			  AND (first_name LIKE '%$search_string%' OR last_name LIKE '%$search_string%' OR email LIKE '%$search_string%')
			  ORDER BY last_name, first_name ASC";		
	$result = @mysql_query ($query);
	$num=mysql_num_rows($result);
	mysql_close();

if ($result) {

echo '<p>Total number = ' .$num. '
<p><table>
<tr><td> </td>
<td><b>First Name</b></td>
<td><b>Last Name</b></td>
<td><b>Email</b></td>
<td><b>Deposit</b></td>
<td><b>Trip Offering</b></td></tr>';

while ($row = mysql_fetch_array($result, MYSQL_ASSOC)) {
echo '<tr><td><a href="display_registrant.php?briusaid=' .$row['id']. '"><img
src="./images/edit.jpg" border="0"></a></td>
    <td>' .$row['first_name']. '</td>
<td>' .$row['last_name']. '</td> 
<td><a href="mailto:' .$row['email']. '">' .$row['email']. '</a></td>
<td>' .$row['deposit']. '</td>
<td>' .$row['trip_offering']. '</td></tr>';
}

echo '</table>';

} else {
echo mysql_error();

}		
}

include ('./includes/footer.html');
?>

[pocobueno1388]

Thats insane, I don't see anyway that could be used to scam though email. If they could then they could obviously scam with anyones script, they just chose yours.

 

I'm no expert at security issues, but that looks like a harmless script to me.

[jcbarr]

The only thing that I could think is that they were using some sort of SQL injection method to retrieve all the email addresses in your database and then executing their on script to send spam.

 

This information comes from a user submitted form correct?

 

I'm not sure how they would have accessed the form if it is in a password protected directory, but as we all know nothing is impossible really, and it could have possibly even been a member of the site, you never know.

 

I would read up on SQL injection and take any needed steps to protect yourself from that first.

[ShorStew]

Thanks for the help...

 

The search string does come from a user submitted form (although there are a finite number of users (4) with access to the directory, and none of whom have the programming knowledge to successfully execute a SQL insertion.

 

That said, I could be a little more careful by validating the input against such attacks.

[genericnumber1]

Security: Never.. EVER trust a user, even if it's you.

[kenrbnsn]

I would ask your hosting company to provide proof. How did they determine it was this particular script?

 

Ken

[jcbarr]

I didn't even think about that, but that would be very hard to prove, or even figure out in my mind.

[btherl]

I think they are having you on.  Maybe they saw a lot of accesses to your script and a lot of emails, and put 2+2 together to make 5. 

 

Like the others said, mysql injection is the only vulnerability there.  But given that it's password protected, even that is unlikely.

 

register_globals is not great either, but you initialize all your variables before use, so that should be no problem.

 

What about your includes?  Are they plain html or are they php also?

[redarrow]

 

This is your problam the people getting the email to activate there account can see there id in the url post back  so therefore there tacking a guess to other users id  to send them email or activate there account for them.

 

encript the id of the user then decript on come back ok.

 

echo '<tr><td><a href="display_registrant.php?briusaid=' .$row['id']. '"><img
src="./images/edit.jpg" border="0"></a>

 

 

 

[ShorStew]

Thanks again for everybody's input... I practically learned PHP from reading the tutorials and forums here!

 

I requested "proof" from the host and they provided proof which implicated a different script (a simple mailform) that I had written when I was even more a newbie than I am now. Needless to say, it was vulnerable to header insertions (something I should have known to safeguard against through what i have read here).

 

I will, however, use some of the tips here to make this script safer, even with the small number of users (I've proven to be my most unsafe user at times!).