Jump to content

Archived

This topic is now archived and is closed to further replies.

doogstar1

Spammers inserting their forms into my site.

Recommended Posts

I got the below message from my ISP, can someone tell me the best way to stop URLS from being inserted into my site. Your help would be appreciated. I am a newbie to PHP, so you may need to spell it out for me.

[i]Your website has been temporarily taken offline as it is being abused by spammers and used to send large amounts of spam to other users on the Internet.

We have provided our analysis below to hopefully help your web developer(s) understand the problem and hopefully help fix your website.

Basically, it seems that index.php and possibly other files allows inclusion of code from another site. The piece of PHP code in question from index.php has been provided below:
...[/i]

<?php
if(isset($_GET["content"])) {
$page = $_GET["content"];
include_once("$page.htm");
}
else {
include_once("main.htm");
}
?>


[i]Spammers are abusing this to include HTML e-mail forms hosted on a free webspace provider and using it to send mail messages to other users on the Internet. We have renamed index.php to index-old.php and provided an example of one form below:

[a href=\"http://www.imark.com.au/index-old.p...ter/mailer.jpg\" target=\"_blank\"]http://www.imark.com.au/index-old.p...ter/mailer.jpg[/a]?


We have also confirmed this by creating a small HTML file on one of our web servers and used your website to display it. This is shown in the link provided below:

[a href=\"http://www.imark.com.au/index-old.p.../hawl/test.php\" target=\"_blank\"]http://www.imark.com.au/index-old.p.../hawl/test.php[/a]?


Our suggestion would be to make modifications to this code so that it validates "content" making sure that it does not contain "http://....".[/i]

Share this post


Link to post
Share on other sites
I would suggest that you use a switch statement as basic page inclution instead of including directly based on whatever the adress line says.

By placing this snippet on top (before anything else) of all your pages you should however be better secured on several attempt methods. You might want to adjust it to your own needs, and check for conflicts with valid GET you might use:
[code]
// check for url injection
$current_url = $_SERVER['REQUEST_URI'];
$current_pieces = explode("?", $current_url);
$current_detail_url = $current_pieces[1];
$not_allowed_string = '/script|http|<|>|%3c|%3e|SELECT|UNION|UPDATE|AND|exe|exec|INSERT|tmp/i';

if (preg_match($not_allowed_string, $current_detail_url))
{
// kill
print "Illegal input !";
die();
}

// continue page prossessing here
[/code]

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.