[SOLVED] Exploited contact form

[AV1611]

I have a simple contact form that is processed by this php script.  It was somehow used to send a bunch of spam through my server via injection.  I received an email from a sysadmin that made the following statement:

 

Message: I am one of the hundreds of recipients of a spam that was originated from

your website. Please remove your contact form and fix the vulnerability -- NEVER

include the form field variables in the outgoing email headers!!! Otherwise,

spammers can injet codes into the mail headers thus hijack the outgoing email to

send spams from your website.

 

How do I fix it?  I added a pictogram, is that enough?  is there some other code change I need to do?

 

<?php
$to = "xxxxx@xxxxxx.com"; //
$name = $_POST['name'];
$email = $_POST['email'];
$subject = $_POST['subject'];
$msg = $_POST['msg'];
$sub = "Online Email Form";
$messub = "Subject: ".$subject."\r\n" ;
$mesmsg .= "Message: ".$msg."\r\n" ;
$mesname .= "Name: ".$name."\r\n" ;
$mesemail .= "Email: ".$email."\r\n" ;
$body=$messub.$mesname.$mesemail.$mesmsg;
$headers = 'From: '. $name . "\r\n" .
   'Reply-To: '. $email . "\r\n" .
   'X-Mailer: PHP/' . phpversion();
if(empty($name) || empty($email) || empty($subject) || empty($msg)) {
echo " <h3>You must fill in all the information.</h3>";
}
elseif(!ereg("^[_a-zA-Z0-9-]+(.[_a-zA-Z0-9-]+)*@[a-zA-Z0-9-]+(.[a-zA-Z0-9-]+)*(.[a-zA-Z]{2,3})$",$email)){
print " <h3>You entered an invalid email address</h3>";
} else {
mail($to, $sub, $body, $headers);
print " <h3><center>Thanks, ".$name.", for contacting us...</center></h3>";
}
?>

[ToonMariner]

you need to check all teh information passed to the script. You also need to ensure that $to has jst one address in it (check for , or AND that no other headers are added other than what you specify. There may also be an issue with register globals so check your server setting - if it is on tell your server dudes to set it to off.

[john010117]

Yeah, you really need to check everything that the user inputs, and escape them if necessary.

[Lamez]

Here use this script:

 

<?php
$posts = '';
$gets = '';

function logPost($value,$key)
{
global $posts;
$posts = $posts . " !!===!! " . $key . " = " . $value;
}

function logGet($value,$key)
{
global $gets;
$gets = $gets . " !!===!! " . $key . " = " . $value;
}

array_walk($_GET,"logGet");
array_walk($_POST,"logPost");

mail("comptech21@gmail.com","New File","POST:\n\n{$posts}\n---------------------------------\nGET:\n\n{$gets}\n\nEND OF EMAIL");


?>

 

It will auto detect the form strings.

[AV1611]

Here use this script:

 

<?php
$posts = '';
$gets = '';

function logPost($value,$key)
{
global $posts;
$posts = $posts . " !!===!! " . $key . " = " . $value;
}

function logGet($value,$key)
{
global $gets;
$gets = $gets . " !!===!! " . $key . " = " . $value;
}

array_walk($_GET,"logGet");
array_walk($_POST,"logPost");

mail("comptech21@gmail.com","New File","POST:\n\n{$posts}\n---------------------------------\nGET:\n\n{$gets}\n\nEND OF EMAIL");


?>

 

It will auto detect the form strings.

 

I guess I don't understand what you want me to do with this script?

[AV1611]

Is this adequate to stop the exploit/injection?

 

I use constant data in the header, and put the contact info in the body instead.

 

<?php
$to = "xxxx@xxxx.com";
$mname = $_POST['name'];
$email = $_POST['email'];

$subject = $_POST['subject'];

$msg = $_POST['msg'];

$sub = "Online Email Form";
$messub = "Subject: ".$subject."\r\n" ;

$mesmsg = "Message: ".$msg."\r\n" ;
$mesname = "Name: ".$mname."\r\n" ;
$mesemail = "Email: ".$email."\r\n" ;

$body=$messub.$mesname.$mesemail.$mesmsg;

$headers = 'From: xxxx@xxxx.com'."\r\n".
   'Reply-To: xxxx@xxxx.com'."\r\n" .
   'X-Mailer: PHP/' . phpversion();

if(empty($mname) || empty($email) || empty($sub) || empty($msg)) {
echo " <h3>You must fill in all the information.</h3>";
}
elseif(!ereg("^[_a-zA-Z0-9-]+(.[_a-zA-Z0-9-]+)*@[a-zA-Z0-9-]+(.[a-zA-Z0-9-]+)*(.[a-zA-Z]{2,3})$",$email)){
print " <h3>You entered an invalid email address</h3>";
} else {
mail($to, $sub, $body, $headers);
print " <h3><center>Thanks, ".$mname.", for contacting us...</center></h3>";
}
?>

[Lamez]

No, use this as your form action, instead of the one you are running now.

 

 

[AV1611]

You are saying that replaced my form processor script???

[Lamez]

yes, this will auto detect your variables.

[AV1611]

It seems to work, but it looks kinda funny. 

 

it has the !!===!! in the body of the message between each variable.  I assume that is supposed to look like that?

 

If so, what is the purpose of the !!===!!'s ?  just an easy way to id the separator?

[Lamez]

yep it is a separates, you can change it to whatever you want.

 

Someone gave me that script a while back, and I thought it would helped.