www.webdeveloper.com
Results 1 to 7 of 7

Thread: hacking possibly???????

  1. #1
    Join Date
    Oct 2007
    Posts
    126

    hacking possibly???????

    Hi Ive got a contact form called contact.php and a mailer.php which handles the script to process the info. This then redirects the user to a thankyou.php thanking them for their enquiry. It's all very simple and basic and works!

    PROBLEM
    When I look at my server logs it seems that contact.php is getting requested by people viewing the site, followed, as you would expect by mailer.php. But that's where it ends - the thankyou.php is not getting called and I'm not receiving an email from mailer.php. This is increasingly happening - average about once or twice a day and when I look up the IP addresses - they originate from Vietnam and India etc. I'm UK based and I cant imagine anyone in India or Vietnam wanting to discuss my services so it's a bit disconcerting. I've tested all scripts myself and they all work perfectly ok, so my question is:

    Is my script getting hijacked or something or what?

    It maybe something quite simple, but if anyone has had any experience of it I would be very interested to hear your thoughts. I've included the scripts below:

    contact.php
    HTML Code:
    <p> <strong id="inner_main_form">Please use the form below to contact us.</strong></p>
      <form action="mailer.php" method="post" name="contact_form">
            <p><label for="name" id="namelabel">Name: </label>
            <input name="name" id="name" type="text"/></p>
            
            <p><label for="details" id="detailslabel">Please let us know how to contact you </label>
            <textarea name="details" id="details" type="text"></textarea></p>
            
            <p><label for="company" id="companylabel">Company Name:</label>
            <input name="company" id="company" type="text"/></p>
            
            <p><label for="enquiry" id="enquirylabel">Enquiry / comments: </label>
            <textarea name="enquiry" id="enquiry" type="text"></textarea></p>
            
            <input type="submit" name="submit" value="Submit" id="submitter"/>
            <input type="reset" name="reset" value="Reset" id="resetter"/>
      </form>
    mailer.php
    PHP Code:
    <?php
    session_start
    ();

    # Setup Message
    $msgBody "NAME: {$_POST['name']}\n

    CONTACT DETAILS: 
    {$_POST['details']}\n

    COMPANY NAME: 
    {$_POST['company']}\n

    ENQUIRY: 
    {$_POST['enquiry']}\n

    IP: 
    {$_SESSION['IP']}";

    # Change to your Email Address and Subject
    $ToName "me@myaddress.co.uk";
    $Subject "Enquiry from Website";
    $From =  "website@myaddress.co.uk";
    $headers "From: $From";



      
    # Send the email if valid form submission
    ini_set("sendmail_from""me@myaddress.co.uk");
      
    mail($ToName$Subject$msgBody$headers);


    # Redirect to a page of your choice here
    Header("Location: thankyou.php");

    ?>
    I'm assuming from my script that it's full of holes and someone is hijacking it. Any ideas??

    Thanks

  2. #2
    Join Date
    Aug 2004
    Location
    Ankh-Morpork
    Posts
    18,923
    As far as I can see upon a quick inspection of your code, the only place you use any user-supplied data is in the $msgBody. If this is correct, then they should not be able to hijack it.

    It may be spammers/hackers trying out your page to see if they can use it and (hopefully) getting an error or otherwise finding out it does not suit their purposes.
    "Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
    ~ Terry Pratchett in Nation

    eBookworm.us

  3. #3
    Join Date
    Jan 2005
    Location
    Alicante (Spain)
    Posts
    7,736
    Nogdog is right about the script being not a lot of interest from the point of view of header injection, but, the script is pretty crap. There is no validation routine and you're not even bothering to test to see whether variables even exist.

  4. #4
    Join Date
    Apr 2007
    Posts
    1,664
    contact.php is something the spiders will look for when looking for vulnerable contact forms. You might save some wasted bandwidth by changing the name to something less obvious.

  5. #5
    Join Date
    Aug 2007
    Location
    Leeds, Yorkshire, England
    Posts
    387
    They may be able to use $msgBody to alter the headers. An e-mail is just a string of characters and $msgBody could be injected with headers.

    I always run my form inputs through the following function to stop spam relays:

    PHP Code:
            // Deal with forms that may have been illegally altered by spammers or contain hyperlinks
            
    function clear_user_input($value)
            {
                
    $patterns =     array ("/%0/" "/\\r/" ,"/\\n/" "/bcc:/i" "/cc:/i" "/to:/i" "/href/i"  "/http/i");
                
    $replacements = array ("%_0_" "    "  ,"    "  "b_c_c_:" "c_c_:"  ,  "t_o_:" "h_r_e_f_" "h_t_t_p_");
                return 
    preg_replace($patterns,$replacements,$value);
            }

            
    $_POST array_map('clear_user_input'$_POST); 
    At the very least, it may be worth you trying this.

  6. #6
    Join Date
    Aug 2004
    Location
    Ankh-Morpork
    Posts
    18,923
    Quote Originally Posted by Yelgnidroc
    They may be able to use $msgBody to alter the headers. An e-mail is just a string of characters and $msgBody could be injected with headers....
    Except that the "end of headers" marker will have already been encountered by the time the text in the message body is encountered, so text from that point forward should not matter with regards to header injection.
    "Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
    ~ Terry Pratchett in Nation

    eBookworm.us

  7. #7
    Join Date
    Apr 2007
    Posts
    1,664
    You might want to have a read of this. It covers email injection in an easy to understand way.
    http://www.securephpwiki.com/index.php/Email_Injection

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles