Hijacked Mail Script

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Deemo
Forum Contributor
Posts: 418
Joined: Sun Jan 18, 2004 11:48 am
Location: Washington DC

Hijacked Mail Script

Post by Deemo »

I have been using a mail script that sends an email with all the form data from HTML forms. Now, 2 of my clients have reported getting hundreds of bouncebacks of someome who is hijacking the script to send spam emails. The mail script is extremely simple, which is obvious why it got hijacked. I was wondering if you guys could assist me in stopping this, and ASAP...

heres the code:

Code: Select all

$to = $_POST['recipient'];
$from = $_POST['email'];
$subject = $_POST['subject'];

$headers  = 'MIME-Version: 1.0' . "\r\n";
$headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n";

// Additional headers
$headers .= 'To: Name <'.$to.'>' . "\r\n";
$headers .= 'From: '.$_POST['name'].' <'.$from.'>' . "\r\n";

//Go through eveything in the POST to output
foreach ($_POST as $key =>$value)
{
  if (($key != "recipient")&&($key != "subject")&&($key != "redirect")&&($key != "submit")&&($key != "THANKURL"))
    $message .= $key.": ".$value."<br>"; 
}

mail ($to, $subject, $message, $headers);
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

The problem (as always) is a problem of a lack of user input validation... Eg: A name or an e-mail address can't contain \r, \n, \t, ...

http://www.nyphp.org/phundamentals/emai ... ection.php
User avatar
aerodromoi
Forum Contributor
Posts: 230
Joined: Sun May 07, 2006 5:21 am

Re: Hijacked Mail Script

Post by aerodromoi »

Deemo wrote:I have been using a mail script that sends an email with all the form data from HTML forms. Now, 2 of my clients have reported getting hundreds of bouncebacks of someome who is hijacking the script to send spam emails. The mail script is extremely simple, which is obvious why it got hijacked. I was wondering if you guys could assist me in stopping this, and ASAP...
First of all, the user can choose the recipient - he or she does not have to "hijack" the script. If you really need
several choices, check them (e.g. put all possible/desired email addresses in an array and check their existence / their validity with in_array).

If you don't validate the recipient's email address, you shouldn't put it into the header (idem for the sender's address).

Hope this helps,
aerodromoi
Post Reply