contact form hack
- Started
- Last post
- 13 Responses
- hiten
so on my website someone hacked my form or something apparently its called "email injecting"
http://securephp.damonkohler.com…
anyone how to make a safer form so this wont happen again. The form I used it pretty simple and I dont know much PHP so no idea what I can do to fix it.
- gabriel20
make it in flash, had the same thing happen to me, just do some googling on it and you should be able to find some premade php stuff to stop it from occurring again
- justjeff0
Doing it in flash doesn't protect you, and a lot of the premade scripts are vulnerable, too.
The issue is that mail forms in PHP (and most other languages) just open a pipe to sendmail, the UNIX mail sending program. That program (and most well-behaving mail programs) interpret linefeeds as additional statements - as the SMTP protocol dictates. The 'hack' involves adding newline characters (\r\n) to fields being used in the header (To, From, Email address, Subject, etc), and then injecting a Bcc: header and their own email subject - in this way, they can send thousands of emails per hour using your server and bandwidth.
The fix is to clean all of the variables you use in the header - $_POST['fromEmail'] should be cleaned as $fromEmail = str_replace("\n", "", $_POST['fromEmail']) - just stripping out the "\n" is typically sufficient to secure 99% of all PHP forms (unless you've done something REALLY silly).
If you're really stuck, email your host. It's in their best interest to have you fix your script, and they should be more than happy to help you with 3-4 lines of PHP to prevent spam coming from their network.
- uberdesigner0
how can I hack your email form? what do I get out of the deal
- version30
use javascript
- justjeff0
You get a free, fast mailserver that's not on blacklists and can't be traced to your organization.
Javascript is irrelevant in this discussion.
- hiten0
thx, ive gone through all the suggestions and im stupid and i cant figure out how to fix it
- blackspade0
shoot NT member determinedmoth an email & ask for some tips
mike@mauva.co.uk
he will help u out and has experience with exactly this issue
- ToxicDesign0
If we are talking about someone sending/posting through your email form script, I would wrap the mailer code around a Referer or IP Check:
if(_SERVER[HTTP_REFERER]=="toxic... { *run code } else { *piss off }
How's that?
...
- hiten0
i think the thing thats killing me is that i dont know much about PHP so when people post what to do i get lost. :(
- justjeff0
I would wrap the mailer code around a Referer or IP Check:
if(_SERVER[HTTP_REFE RER]=="toxic.php") { *run code } else { *piss off }
How's that?
...
ToxicDesign
(Feb 26 06, 18:52)No protection at all - HTTP headers can be forged, and are typically forged exactly like this. You can set a session variable when the load the page the first time, and then require that the session variable be set before you send any email, but then you require cookies, and it's entirely possible that determined spammers will figure that one out.
- determinedmoth0
I got your email. I can take a look.