Jump to content


Photo

Spammers inserting their forms into my site.


  • Please log in to reply
2 replies to this topic

#1 doogstar1

doogstar1
  • New Members
  • Pip
  • Newbie
  • 2 posts

Posted 19 April 2006 - 05:43 AM

I got the below message from my ISP, can someone tell me the best way to stop URLS from being inserted into my site. Your help would be appreciated. I am a newbie to PHP, so you may need to spell it out for me.

Your website has been temporarily taken offline as it is being abused by spammers and used to send large amounts of spam to other users on the Internet.

We have provided our analysis below to hopefully help your web developer(s) understand the problem and hopefully help fix your website.

Basically, it seems that index.php and possibly other files allows inclusion of code from another site. The piece of PHP code in question from index.php has been provided below:
...


<?php
if(isset($_GET["content"])) {
$page = $_GET["content"];
include_once("$page.htm");
}
else {
include_once("main.htm");
}
?>


Spammers are abusing this to include HTML e-mail forms hosted on a free webspace provider and using it to send mail messages to other users on the Internet. We have renamed index.php to index-old.php and provided an example of one form below:

[a href=\"http://www.imark.com.au/index-old.p...ter/mailer.jpg\" target=\"_blank\"]http://www.imark.com.au/index-old.p...ter/mailer.jpg[/a]?


We have also confirmed this by creating a small HTML file on one of our web servers and used your website to display it. This is shown in the link provided below:

[a href=\"http://www.imark.com.au/index-old.p.../hawl/test.php\" target=\"_blank\"]http://www.imark.com.au/index-old.p.../hawl/test.php[/a]?


Our suggestion would be to make modifications to this code so that it validates "content" making sure that it does not contain "http://....".


#2 alpine

alpine
  • Members
  • PipPipPip
  • Advanced Member
  • 756 posts
  • LocationNorway

Posted 19 April 2006 - 06:44 AM

I would suggest that you use a switch statement as basic page inclution instead of including directly based on whatever the adress line says.

By placing this snippet on top (before anything else) of all your pages you should however be better secured on several attempt methods. You might want to adjust it to your own needs, and check for conflicts with valid GET you might use:
// check for url injection
$current_url = $_SERVER['REQUEST_URI'];
$current_pieces = explode("?", $current_url);
$current_detail_url = $current_pieces[1];
$not_allowed_string = '/script|http|<|>|%3c|%3e|SELECT|UNION|UPDATE|AND|exe|exec|INSERT|tmp/i';

if (preg_match($not_allowed_string, $current_detail_url))
{
// kill
print "Illegal input !";
die();
}

// continue page prossessing here


#3 doogstar1

doogstar1
  • New Members
  • Pip
  • Newbie
  • 2 posts

Posted 20 April 2006 - 01:20 AM

Thanks, that worked a treat, you are a champion!!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users