contact form hack
Out of context: Reply #2
- Started
- Last post
- 13 Responses
- justjeff0
Doing it in flash doesn't protect you, and a lot of the premade scripts are vulnerable, too.
The issue is that mail forms in PHP (and most other languages) just open a pipe to sendmail, the UNIX mail sending program. That program (and most well-behaving mail programs) interpret linefeeds as additional statements - as the SMTP protocol dictates. The 'hack' involves adding newline characters (\r\n) to fields being used in the header (To, From, Email address, Subject, etc), and then injecting a Bcc: header and their own email subject - in this way, they can send thousands of emails per hour using your server and bandwidth.
The fix is to clean all of the variables you use in the header - $_POST['fromEmail'] should be cleaned as $fromEmail = str_replace("\n", "", $_POST['fromEmail']) - just stripping out the "\n" is typically sufficient to secure 99% of all PHP forms (unless you've done something REALLY silly).
If you're really stuck, email your host. It's in their best interest to have you fix your script, and they should be more than happy to help you with 3-4 lines of PHP to prevent spam coming from their network.