My form is hacked

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
greenpee
Forum Newbie
Posts: 5
Joined: Thu Sep 28, 2006 4:09 pm

My form is hacked

Post by greenpee »

Hi,

I have a form and I code Age and State as dropdown. But someone put a long line of script into them and got into my system successfully. Anyone has idea how can he do this? How can I block this?

Thanks,
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

Are you able to post the related code? If not a small overview of how it works would make offering advice more specific to your problem.
greenpee
Forum Newbie
Posts: 5
Joined: Thu Sep 28, 2006 4:09 pm

Post by greenpee »

<select name="AGE">
<option value=''>-- Select one--</option>
<option value=1>under 20</option>
<option value=2>20-29</option>
<option value=3>30-39</option>
<option value=4>40-49</option>
<option value=5>50-59</option>
<option value=6>60-69</option>
<option value=7>over 70</option></select>
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

The code that processes the input is much more interesting here.
greenpee
Forum Newbie
Posts: 5
Joined: Thu Sep 28, 2006 4:09 pm

Post by greenpee »

and he put
<script src=...>...</script>
I don't want to spread his link. It is .js but when I try to open it to read, it asked me to download
greenpee
Forum Newbie
Posts: 5
Joined: Thu Sep 28, 2006 4:09 pm

Post by greenpee »

the process code:

$message=$message."AGE: $AGE";
mail($to,$subject,$message,$extra);
mikesmith76
Forum Commoner
Posts: 34
Joined: Fri Aug 25, 2006 7:10 am
Location: Manchester, UK

Post by mikesmith76 »

any validation done to any of the data passed to mail? where are these variables set? if you have register_globals turned on, turn it off

regarding your question
have a form and I code Age and State as dropdown. But someone put a long line of script into them and got into my system successfully
don't assume that because you have a dropdown on the form that the data can only be options in this dropdown. chances are someone is submitting directly to your form processor without ever looking at your form

bottom line - don't blindly accept user input without validation, ever.
greenpee
Forum Newbie
Posts: 5
Joined: Thu Sep 28, 2006 4:09 pm

Post by greenpee »

Thanks. Good point.
I recorded $HTTP_REFERER and it is the right page(my page). how can he post to my form with a different form? do you think he built a page on his own server and post to my form?
mikesmith76
Forum Commoner
Posts: 34
Joined: Fri Aug 25, 2006 7:10 am
Location: Manchester, UK

Post by mikesmith76 »

could do - plus HTTP_REFERER is also user input, absolutely no requirement for it to be set at all. Also you said $HTTP_REFERER, do you by any chance have register_globals enabled?

This may be a good read, specifically the section on form processing

http://phpsec.org/projects/guide/
brendandonhue
Forum Commoner
Posts: 71
Joined: Mon Sep 25, 2006 3:21 pm

Post by brendandonhue »

If age is supposed to be a number, use is_numeric() to make sure that's what the user has inputted.
Jeroen Oosterlaar
Forum Commoner
Posts: 37
Joined: Sun Nov 06, 2005 4:12 pm

Post by Jeroen Oosterlaar »

Bottom line is and will always be: validate all input from the outside world. If the input of a certain field should be numeric, then validate it as numeric. If it is not, return an error.
Post Reply