Page 1 of 1

Hijacked Mail Script

Posted: Thu May 11, 2006 2:37 pm
by Deemo
I have been using a mail script that sends an email with all the form data from HTML forms. Now, 2 of my clients have reported getting hundreds of bouncebacks of someome who is hijacking the script to send spam emails. The mail script is extremely simple, which is obvious why it got hijacked. I was wondering if you guys could assist me in stopping this, and ASAP...

heres the code:

Code: Select all

$to = $_POST['recipient'];
$from = $_POST['email'];
$subject = $_POST['subject'];

$headers  = 'MIME-Version: 1.0' . "\r\n";
$headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n";

// Additional headers
$headers .= 'To: Name <'.$to.'>' . "\r\n";
$headers .= 'From: '.$_POST['name'].' <'.$from.'>' . "\r\n";

//Go through eveything in the POST to output
foreach ($_POST as $key =>$value)
{
  if (($key != "recipient")&&($key != "subject")&&($key != "redirect")&&($key != "submit")&&($key != "THANKURL"))
    $message .= $key.": ".$value."<br>"; 
}

mail ($to, $subject, $message, $headers);

Posted: Thu May 11, 2006 2:48 pm
by timvw
The problem (as always) is a problem of a lack of user input validation... Eg: A name or an e-mail address can't contain \r, \n, \t, ...

http://www.nyphp.org/phundamentals/emai ... ection.php

Re: Hijacked Mail Script

Posted: Thu May 11, 2006 3:01 pm
by aerodromoi
Deemo wrote:I have been using a mail script that sends an email with all the form data from HTML forms. Now, 2 of my clients have reported getting hundreds of bouncebacks of someome who is hijacking the script to send spam emails. The mail script is extremely simple, which is obvious why it got hijacked. I was wondering if you guys could assist me in stopping this, and ASAP...
First of all, the user can choose the recipient - he or she does not have to "hijack" the script. If you really need
several choices, check them (e.g. put all possible/desired email addresses in an array and check their existence / their validity with in_array).

If you don't validate the recipient's email address, you shouldn't put it into the header (idem for the sender's address).

Hope this helps,
aerodromoi