PDA

View Full Version : Abuse of a PHP contact script



Znojmic
12-17-2006, 07:16 PM
Hi -

I have had a message today from my hosting company to tell me that one of the sites on my hosting account is having it's php code abused. Apparently someone is manipulating the php code from the contact form to allow them
to add Bcc addresses.

Any ideas on what I need to do to close this loop hole?

Thanks.

ddadmin
12-18-2006, 12:33 AM
A good PHP form contact script will have referrer check built in to ensure only authorized domains (ie: your own) is allowed to use the script. Furthermore, the target email(s) to send the form to should always be defined inside the PHP script, not the form that's in the HTML of the page where spammers can easily manipulate. My advise is just to ditch your current contact script and research one that's more secure.

dog
12-18-2006, 02:21 AM
I don't know much about PHP but I read something about securing against this exact thing the other day.

If you like I'll try to track down the code.

It's bascially something along the lines of an if else statement that checks if the value of the email address has "to:" "cc:" or "bcc" inside it. If it does you echo that it's an invalid email address, else you go ahead with sending the mail.

I hope this helps.

dog
12-18-2006, 02:25 AM
Found the code:


<?php
function spamcheck($field)
{
//eregi() performs a case insensitive regular expression match
if(eregi("to:",$field) || eregi("cc:",$field) || eregi("bcc:",$field))
{
return TRUE;
}
else
{
return FALSE;
}
}

//check if the email address is invalid
$mailcheck = spamcheck($_REQUEST['email']);
if ($mailcheck==TRUE)
{
echo "Invalid input";
}
else
{
//send email
}


I hope that helps! Let me know if you have any problems.