Jump to content

Spammers inserting their forms into my site.

doogstar1

By doogstar1
in PHP Coding Help

 Share

Recommended Posts

doogstar1 Newbie

doogstar1

Posted
Posted
I got the below message from my ISP, can someone tell me the best way to stop URLS from being inserted into my site. Your help would be appreciated. I am a newbie to PHP, so you may need to spell it out for me.

[i]Your website has been temporarily taken offline as it is being abused by spammers and used to send large amounts of spam to other users on the Internet.

We have provided our analysis below to hopefully help your web developer(s) understand the problem and hopefully help fix your website.

Basically, it seems that index.php and possibly other files allows inclusion of code from another site. The piece of PHP code in question from index.php has been provided below:
...[/i]

<?php
if(isset($_GET["content"])) {
$page = $_GET["content"];
include_once("$page.htm");
}
else {
include_once("main.htm");
}
?>


[i]Spammers are abusing this to include HTML e-mail forms hosted on a free webspace provider and using it to send mail messages to other users on the Internet. We have renamed index.php to index-old.php and provided an example of one form below:

[a href=\"http://www.imark.com.au/index-old.p...ter/mailer.jpg\" target=\"_blank\"]http://www.imark.com.au/index-old.p...ter/mailer.jpg[/a]?


We have also confirmed this by creating a small HTML file on one of our web servers and used your website to display it. This is shown in the link provided below:

[a href=\"http://www.imark.com.au/index-old.p.../hawl/test.php\" target=\"_blank\"]http://www.imark.com.au/index-old.p.../hawl/test.php[/a]?


Our suggestion would be to make modifications to this code so that it validates "content" making sure that it does not contain "http://....".[/i]
Link to comment
Share on other sites
alpine Member

alpine

Posted
Posted
I would suggest that you use a switch statement as basic page inclution instead of including directly based on whatever the adress line says.

By placing this snippet on top (before anything else) of all your pages you should however be better secured on several attempt methods. You might want to adjust it to your own needs, and check for conflicts with valid GET you might use:
[code]
// check for url injection
$current_url = $_SERVER['REQUEST_URI'];
$current_pieces = explode("?", $current_url);
$current_detail_url = $current_pieces[1];
$not_allowed_string = '/script|http|<|>|%3c|%3e|SELECT|UNION|UPDATE|AND|exe|exec|INSERT|tmp/i';

if (preg_match($not_allowed_string, $current_detail_url))
{
// kill
print "Illegal input !";
die();
}

// continue page prossessing here
[/code]
Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.