hacking possibly???????

**cannon303** · 05-19-2008 10:01 AM

Hi Ive got a contact form called contact.php and a mailer.php which handles the script to process the info. This then redirects the user to a thankyou.php thanking them for their enquiry. It's all very simple and basic and works!

PROBLEM

When I look at my server logs it seems that contact.php is getting requested by people viewing the site, followed, as you would expect by mailer.php. But that's where it ends - the thankyou.php is not getting called and I'm not receiving an email from mailer.php. This is increasingly happening - average about once or twice a day and when I look up the IP addresses - they originate from Vietnam and India etc. I'm UK based and I cant imagine anyone in India or Vietnam wanting to discuss my services so it's a bit disconcerting. I've tested all scripts myself and they all work perfectly ok, so my question is:

Is my script getting hijacked or something or what?

It maybe something quite simple, but if anyone has had any experience of it I would be very interested to hear your thoughts. I've included the scripts below:

contact.php

HTML Code:

<p> <strong id="inner_main_form">Please use the form below to contact us.</strong></p>
  <form action="mailer.php" method="post" name="contact_form">
        <p><label for="name" id="namelabel">Name: </label>
        <input name="name" id="name" type="text"/></p>
        
        <p><label for="details" id="detailslabel">Please let us know how to contact you </label>
        <textarea name="details" id="details" type="text"></textarea></p>
        
        <p><label for="company" id="companylabel">Company Name:</label>
        <input name="company" id="company" type="text"/></p>
        
        <p><label for="enquiry" id="enquirylabel">Enquiry / comments: </label>
        <textarea name="enquiry" id="enquiry" type="text"></textarea></p>
        
        <input type="submit" name="submit" value="Submit" id="submitter"/>
        <input type="reset" name="reset" value="Reset" id="resetter"/>
  </form>

mailer.php

PHP Code:


<?php
session_start();

# Setup Message
$msgBody = "NAME: {$_POST['name']}\n

CONTACT DETAILS: {$_POST['details']}\n

COMPANY NAME: {$_POST['company']}\n

ENQUIRY: {$_POST['enquiry']}\n

IP: {$_SESSION['IP']}";

# Change to your Email Address and Subject
$ToName = "me@myaddress.co.uk";
$Subject = "Enquiry from Website";
$From =  "website@myaddress.co.uk";
$headers = "From: $From";



  # Send the email if valid form submission
ini_set("sendmail_from", "me@myaddress.co.uk");
  mail($ToName, $Subject, $msgBody, $headers);


# Redirect to a page of your choice here
Header("Location: thankyou.php");

?>

I'm assuming from my script that it's full of holes and someone is hijacking it. Any ideas??

Thanks

**NogDog** · 05-19-2008 10:16 AM

As far as I can see upon a quick inspection of your code, the only place you use any user-supplied data is in the $msgBody. If this is correct, then they should not be able to hijack it.

It may be spammers/hackers trying out your page to see if they can use it and (hopefully) getting an error or otherwise finding out it does not suit their purposes.

**bokeh** · 05-19-2008 10:49 AM

Nogdog is right about the script being not a lot of interest from the point of view of header injection, but, the script is pretty crap. There is no validation routine and you're not even bothering to test to see whether variables even exist.

**SyCo** · 05-19-2008 12:25 PM

contact.php is something the spiders will look for when looking for vulnerable contact forms. You might save some wasted bandwidth by changing the name to something less obvious.

**Yelgnidroc** · 05-19-2008 05:36 PM

They may be able to use $msgBody to alter the headers. An e-mail is just a string of characters and $msgBody could be injected with headers.

I always run my form inputs through the following function to stop spam relays:

PHP Code:


        // Deal with forms that may have been illegally altered by spammers or contain hyperlinks
        function clear_user_input($value)
        {
            $patterns =     array ("/%0/" , "/\\r/" ,"/\\n/" , "/bcc:/i" , "/cc:/i" , "/to:/i" , "/href/i"  , "/http/i");
            $replacements = array ("%_0_" , "    "  ,"    "  , "b_c_c_:" , "c_c_:"  ,  "t_o_:" , "h_r_e_f_" , "h_t_t_p_");
            return preg_replace($patterns,$replacements,$value);
        }

        $_POST = array_map('clear_user_input', $_POST);

At the very least, it may be worth you trying this.

**NogDog** · 05-19-2008 07:56 PM

Originally Posted by Yelgnidroc

They may be able to use $msgBody to alter the headers. An e-mail is just a string of characters and $msgBody could be injected with headers....

Except that the "end of headers" marker will have already been encountered by the time the text in the message body is encountered, so text from that point forward should not matter with regards to header injection.

**SyCo** · 05-20-2008 09:26 AM

You might want to have a read of this. It covers email injection in an easy to understand way.
http://www.securephpwiki.com/index.php/Email_Injection

Thread: hacking possibly???????

Thread Tools

Display

hacking possibly???????

Thread Information

Users Browsing this Thread

Bookmarks

Bookmarks

Posting Permissions