Page 1 of 1

Contact Form Hacked

Posted: Tue Feb 13, 2007 8:40 pm
by iknownothing
EDIT: This is the new file with the below suggestions implemented. The host of the site still believes this is unsafe. Sorry for being a pain, but is there anything else I can do to make it more secure? You don't have to type out the code if you don't want to, just some keywords would be fine so I can look it up.

Also, the process is on a separate page to the form, if that matters (security wise).

Thanks.


Code: Select all

if ($name == "") { $name = $_POST["name"]; }
if ($email == "") { $email = $_POST["email"]; }
if ($phone == "") { $phone = $_POST["phone"]; }
if ($fax == "") { $fax = $_POST["fax"]; }
if ($message == "") { $message = $_POST["message"]; }



  $error = "";
  if ($name == "") { $error .= "<b>You need to enter your <B>Name</B> so we know who to contact<BR>"; }
  if ($email == "" && $phone == "") { $error .= "<b>You need to enter a contact method so that we can contact you<BR>"; }
  if (! eregi("^([+_a-z0-9-]+)(\.[+_a-z0-9-]+)*@([a-z0-9-]+)(\.[a-z0-9-]+)*(\.[a-z]{2,4})$", $email)) { $error .= "Invalid Email Address<BR>"; }
  if ( preg_match("/[\r\n\"\\\\<>]/", $name) ) { $error .= "Invalid Characters in Name Field<BR>";} 
  if ( preg_match("/[\r\n\"\\\\<>]/", $email) ) { $error .= "Invalid Characters in Email Field<BR>";}
  if ( preg_match("/[\r\n\"\\\\<>]/", $phone) ) { $error .= "Invalid Characters in Phone Field<BR>";} 
  if ( preg_match("/[\r\n\"\\\\<>]/", $fax) ) { $error .= "Invalid Characters in fax Field<BR>";}
  if ( preg_match("/[\r\n\"\\\\<>]/", $message) ) { $error .= "Invalid Characters in Message Field<BR>";}
  
  if ($error == "") {
    //send email to IND Lending
    $name = stripslashes($name);
    $email = stripslashes($email);
    $phone = stripslashes($phone);
    $fax = stripslashes($fax);
    $message = stripslashes($message);

    $mailtoOBone = "scott@indlending.com.au";
    $mailmsg = "--- Below are details submitted via the IND Lending Contact Form ---\n\nName: $name\nEmail Address: $email\nPhone No.: $phone\nFax No.: $fax\n\nEnquiry:\n$message\n\n--- End of Details ---\n";
    if ($email == "") {
      $email = "no-email-given@indlending.com.au";
      $subject = "Contact Form Details - DO NOT REPLY";
    } else {
      $subject = "Contact Form Details";
    }
    
    $from = "From: \"$name\" <$email>";

    if (! eregi("^([+_a-z0-9-]+)(\.[+_a-z0-9-]+)*@([a-z0-9-]+)(\.[a-z0-9-]+)*(\.[a-z]{2,4})$", $mailtoOBone)) 
{ 
   $error .= "Contact Form ERROR<BR>"; 
}
    
    mail($mailtoOBone, $subject, $mailmsg, $from);

  }

Posted: Tue Feb 13, 2007 10:29 pm
by volka
At least perform a rudimentary check on $name and $email
e.g.

Code: Select all

if ($email == "" && $phone == "") { $error .= "<b>You need to enter a contact method so that we can contact you.<BR />"; }
if ( preg_match("/[\r\n\"\\\\<>]/", $name) ) $error .= "<div>invalid character in parameter 'name'</div>\n";
if ( preg_match("/[\r\n\"\\\\<>]/", $email) ) $error .= "<div>invalid character in parameter 'email'</div>\n";

if ($error == "") {

Posted: Tue Feb 13, 2007 10:44 pm
by iknownothing
but how would that send emails to other people, the $mailto variable is the address to be sent to, which is hardcoded in...

would it help if I changed the $mailto variable name to something a bit more hard to guess ie. $youllneverguessmymailtovariablename ?

Posted: Wed Feb 14, 2007 12:24 am
by John Cartwright
because headers can be injected, which is what volka demonstrated

Posted: Wed Feb 14, 2007 7:34 am
by feyd
You might want to use the RFC compliant email address regex that we've had posted quite often. Search for "validateEmailFormat"

Posted: Thu Feb 15, 2007 7:00 pm
by iknownothing
edited first post. Thanks.

Posted: Fri Feb 16, 2007 8:16 am
by onion2k
The host of the site still believes this is unsafe.
Rather than taking wild stabs in the dark at what might make it more secure, why not ask the host why they think it's not secure? Then you'll have an actual problem that you can address.

Posted: Fri Feb 16, 2007 8:23 am
by superdezign
An issue I see clients usually have with the "security" of their form is spam. Spammers use forms to spam people using other's bandwidth so firstly, you validate headers to stop spammers from using your client's bandwidth to spam others, and validate any text they send to ensure that there is no HTML inserted. This stops spammers from spamming your client's email.

And explain to them what you've prevented. If you sound like you know what your doing, they assume that you do.

Posted: Fri Feb 16, 2007 8:26 am
by feyd
The email regex still is not RFC compliant.

Posted: Sun Feb 18, 2007 3:30 pm
by iknownothing
feyd wrote:The email regex still is not RFC compliant.
really, I must have used the wrong one from another topic, I assumed the one down the very bottom of a topic would have been correct.