Results 1 to 7 of 7

Thread: hacking possibly???????

  1. #1
    Join Date
    Oct 2007

    hacking possibly???????

    Hi Ive got a contact form called contact.php and a mailer.php which handles the script to process the info. This then redirects the user to a thankyou.php thanking them for their enquiry. It's all very simple and basic and works!

    When I look at my server logs it seems that contact.php is getting requested by people viewing the site, followed, as you would expect by mailer.php. But that's where it ends - the thankyou.php is not getting called and I'm not receiving an email from mailer.php. This is increasingly happening - average about once or twice a day and when I look up the IP addresses - they originate from Vietnam and India etc. I'm UK based and I cant imagine anyone in India or Vietnam wanting to discuss my services so it's a bit disconcerting. I've tested all scripts myself and they all work perfectly ok, so my question is:

    Is my script getting hijacked or something or what?

    It maybe something quite simple, but if anyone has had any experience of it I would be very interested to hear your thoughts. I've included the scripts below:

    HTML Code:
    <p> <strong id="inner_main_form">Please use the form below to contact us.</strong></p>
      <form action="mailer.php" method="post" name="contact_form">
            <p><label for="name" id="namelabel">Name: </label>
            <input name="name" id="name" type="text"/></p>
            <p><label for="details" id="detailslabel">Please let us know how to contact you </label>
            <textarea name="details" id="details" type="text"></textarea></p>
            <p><label for="company" id="companylabel">Company Name:</label>
            <input name="company" id="company" type="text"/></p>
            <p><label for="enquiry" id="enquirylabel">Enquiry / comments: </label>
            <textarea name="enquiry" id="enquiry" type="text"></textarea></p>
            <input type="submit" name="submit" value="Submit" id="submitter"/>
            <input type="reset" name="reset" value="Reset" id="resetter"/>
    PHP Code:

    # Setup Message
    $msgBody "NAME: {$_POST['name']}\n





    # Change to your Email Address and Subject
    $ToName "me@myaddress.co.uk";
    $Subject "Enquiry from Website";
    $From =  "website@myaddress.co.uk";
    $headers "From: $From";

    # Send the email if valid form submission

    # Redirect to a page of your choice here
    Header("Location: thankyou.php");

    I'm assuming from my script that it's full of holes and someone is hijacking it. Any ideas??


  2. #2
    Join Date
    Aug 2004
    As far as I can see upon a quick inspection of your code, the only place you use any user-supplied data is in the $msgBody. If this is correct, then they should not be able to hijack it.

    It may be spammers/hackers trying out your page to see if they can use it and (hopefully) getting an error or otherwise finding out it does not suit their purposes.
    "Well done....Consciousness to sarcasm in five seconds!" ~ Terry Pratchett, Night Watch

    How to Ask Questions the Smart Way (not affiliated with this site, but well worth reading)

    My Blog
    cwrBlog: simple, no-database PHP blogging framework

  3. #3
    Join Date
    Jan 2005
    Alicante (Spain)
    Nogdog is right about the script being not a lot of interest from the point of view of header injection, but, the script is pretty crap. There is no validation routine and you're not even bothering to test to see whether variables even exist.

  4. #4
    Join Date
    Apr 2007
    contact.php is something the spiders will look for when looking for vulnerable contact forms. You might save some wasted bandwidth by changing the name to something less obvious.

  5. #5
    Join Date
    Aug 2007
    Leeds, Yorkshire, England
    They may be able to use $msgBody to alter the headers. An e-mail is just a string of characters and $msgBody could be injected with headers.

    I always run my form inputs through the following function to stop spam relays:

    PHP Code:
            // Deal with forms that may have been illegally altered by spammers or contain hyperlinks
    function clear_user_input($value)
    $patterns =     array ("/%0/" "/\\r/" ,"/\\n/" "/bcc:/i" "/cc:/i" "/to:/i" "/href/i"  "/http/i");
    $replacements = array ("%_0_" "    "  ,"    "  "b_c_c_:" "c_c_:"  ,  "t_o_:" "h_r_e_f_" "h_t_t_p_");

    $_POST array_map('clear_user_input'$_POST); 
    At the very least, it may be worth you trying this.

  6. #6
    Join Date
    Aug 2004
    Quote Originally Posted by Yelgnidroc
    They may be able to use $msgBody to alter the headers. An e-mail is just a string of characters and $msgBody could be injected with headers....
    Except that the "end of headers" marker will have already been encountered by the time the text in the message body is encountered, so text from that point forward should not matter with regards to header injection.
    "Well done....Consciousness to sarcasm in five seconds!" ~ Terry Pratchett, Night Watch

    How to Ask Questions the Smart Way (not affiliated with this site, but well worth reading)

    My Blog
    cwrBlog: simple, no-database PHP blogging framework

  7. #7
    Join Date
    Apr 2007
    You might want to have a read of this. It covers email injection in an easy to understand way.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
HTML5 Development Center



X vBulletin 4.2.2 Debug Information

  • Page Generation 0.16533 seconds
  • Memory Usage 2,931KB
  • Queries Executed 13 (?)
More Information
Template Usage (35):
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_global_above_footer
  • (1)ad_global_below_navbar
  • (1)ad_global_header1
  • (1)ad_global_header2
  • (1)ad_navbar_below
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)ad_thread_first_post_content
  • (1)ad_thread_last_post_content
  • (1)bbcode_html
  • (2)bbcode_php
  • (1)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)headinclude_bottom
  • (7)memberaction_dropdown
  • (1)navbar
  • (4)navbar_link
  • (1)navbar_moderation
  • (1)navbar_noticebit
  • (1)navbar_tabs
  • (2)option
  • (7)postbit
  • (7)postbit_onlinestatus
  • (7)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available (6):
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files (26):
  • ./showthread.php
  • ./global.php
  • ./includes/class_bootstrap.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/functions_navigation.php
  • ./includes/class_friendly_url.php
  • ./includes/class_hook.php
  • ./includes/class_bootstrap_framework.php
  • ./vb/vb.php
  • ./vb/phrase.php
  • ./includes/functions_facebook.php
  • ./includes/functions_calendar.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_notice.php
  • ./packages/vbattach/attach.php
  • ./vb/types.php
  • ./vb/cache.php
  • ./vb/cache/db.php
  • ./vb/cache/observer/db.php
  • ./vb/cache/observer.php 

Hooks Called (70):
  • init_startup
  • friendlyurl_resolve_class
  • init_startup_session_setup_start
  • database_pre_fetch_array
  • database_post_fetch_array
  • init_startup_session_setup_complete
  • global_bootstrap_init_start
  • global_bootstrap_init_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • load_show_variables
  • load_forum_show_variables
  • global_state_check
  • global_bootstrap_complete
  • global_start
  • style_fetch
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • strip_bbcode
  • friendlyurl_clean_fragment
  • friendlyurl_geturl
  • forumjump
  • cache_templates
  • cache_templates_process
  • template_register_var
  • template_render_output
  • fetch_template_start
  • fetch_template_complete
  • parse_templates
  • fetch_musername
  • notices_check_start
  • notices_noticebit
  • process_templates_complete
  • friendlyurl_redirect_canonical
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • memberaction_dropdown
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • build_navigation_data
  • build_navigation_array
  • check_navigation_permission
  • process_navigation_links_start
  • process_navigation_links_complete
  • set_navigation_menu_element
  • build_navigation_menudata
  • build_navigation_listdata
  • build_navigation_list
  • set_navigation_tab_main
  • set_navigation_tab_fallback
  • navigation_tab_complete
  • fb_like_button
  • showthread_complete
  • page_templates