Please review for security

**monaghan** · 28-08-2005, 11:59

Hi,

I have a simple form that posts to this PHP script.

PHP Code:

  <?

 
$to = "my.specified.email@my.domain.ext";

$subject = "Web Enquiry from $customer_name";

$message = "Customer: $customer_name \r\nEmail: $customer_email\r\n Originating

Website: $originator\r\n $enquiry";

mail($to,$subject,$message);

header("Location: " . $ret_url);

 
?>

I have recently had a few emails with a CC: that suggest they appear from my server. Is there any obvious way to hack into this script or obvious error ?

**TDHCentral** · 03-09-2005, 09:42

If this is a contact form i have had same problem with someone trying to hack mine. I got this from my biz partner and who is a host:

Try this:

//form spammer $email
$mystring=$firstname;
$mystring.=$lastname;
$mystring.=$email;
$mystring.=$comments;
$findme = 'MIME-Version: 1.0';
$pos = strpos($mystring, $findme);
if ($pos == true) exit;

You may have to adjust the variables to your form. They usually try each field and are trying to insert header information in the email that would allow them to send spam via your contact form.

This form has the variables firstname, lastname, email address, and comments that can be filled in. I used the $firstname=$_POST['firstname'] to get the post.

I then wanted to put everything in 1 variable from all the posted variables and used '.=' after firstname to add to the variable.

It seems that MIME-Version: 1.0 was in all the attempts and isn't somehthing someone would normally post in a contact message so the last 2 lines search for that in the posted variables and if it finds it, simply exits without doing anything else. You can replace the MIME- with something else if you want, but, be sure to copy and replace it exactly from the email you've been receiving and make sure that it is going to be in all the batches of emails you recieve, not just one batch IE the boundary for a message would be different for each batch so that would be a bad string to use.
******

He's just been using this for 2 days or so..so the jury is still out. However, he's great host and good programmer. At least it's something you could try as I will.

I'll let ya know how it goes.

**monaghan** · 03-09-2005, 20:32

Bl***y spammers

I've put some filtering into the php to bail out if it finds bits related to an email header, not difficult to do, just a pain.

28-08-2005, 11:59	#1 (permalink)
monaghan Super Moderator Join Date: Mar 2005 Location: Herts, UK Posts: 1,030 iTrader: 1 / 100%	Please review for security Hi, I have a simple form that posts to this PHP script. PHP Code: `<? $to = "my.specified.email@my.domain.ext"; $subject = "Web Enquiry from $customer_name"; $message = "Customer: $customer_name \r\nEmail: $customer_email\r\n Originating Website: $originator\r\n $enquiry"; mail($to,$subject,$message); header("Location: " . $ret_url); ?>` I have recently had a few emails with a CC: that suggest they appear from my server. Is there any obvious way to hack into this script or obvious error ? __________________ Alex Monaghan - Monaghan Consultants Ltd Web hosting, ADSL, IT & Database consultancy Custom Web hosting on UK or USA servers using Linux (cPanel) or Windows (DotNetPanel) Mobile Phone Ringtones, Logos, Java Games & more

03-09-2005, 09:42	#2 (permalink)
TDHCentral WMT Sponsor Join Date: Jan 2005 Location: Mobile, AL Posts: 38 iTrader: 0 / 0%	If this is a contact form i have had same problem with someone trying to hack mine. I got this from my biz partner and who is a host: Try this: //form spammer $email $mystring=$firstname; $mystring.=$lastname; $mystring.=$email; $mystring.=$comments; $findme = 'MIME-Version: 1.0'; $pos = strpos($mystring, $findme); if ($pos == true) exit; You may have to adjust the variables to your form. They usually try each field and are trying to insert header information in the email that would allow them to send spam via your contact form. This form has the variables firstname, lastname, email address, and comments that can be filled in. I used the $firstname=$_POST['firstname'] to get the post. I then wanted to put everything in 1 variable from all the posted variables and used '.=' after firstname to add to the variable. It seems that MIME-Version: 1.0 was in all the attempts and isn't somehthing someone would normally post in a contact message so the last 2 lines search for that in the posted variables and if it finds it, simply exits without doing anything else. You can replace the MIME- with something else if you want, but, be sure to copy and replace it exactly from the email you've been receiving and make sure that it is going to be in all the batches of emails you recieve, not just one batch IE the boundary for a message would be different for each batch so that would be a bad string to use. ****** He's just been using this for 2 days or so..so the jury is still out. However, he's great host and good programmer. At least it's something you could try as I will. I'll let ya know how it goes. __________________ Jennifer Herold http://tdhcentral.com http://vinterchange.com http://clickinpeople.com http://hillbillihits.com http://hauntedclicks.com http://rx2superbanner.com http://tdhbanners.com

03-09-2005, 20:32	#3 (permalink)
monaghan Super Moderator Join Date: Mar 2005 Location: Herts, UK Posts: 1,030 iTrader: 1 / 100%	Bl***y spammers I've put some filtering into the php to bail out if it finds bits related to an email header, not difficult to do, just a pain. __________________ Alex Monaghan - Monaghan Consultants Ltd Web hosting, ADSL, IT & Database consultancy Custom Web hosting on UK or USA servers using Linux (cPanel) or Windows (DotNetPanel) Mobile Phone Ringtones, Logos, Java Games & more

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
security precautions when building an application?	benf	Php and MySQL	1	07-03-2007 20:43
Novice user security	FrozenDice	Website Reviews	8	14-07-2005 11:14

Please review for security

Please review for security

Similar Threads