Page 1 of 1
My form is hacked
Posted: Thu Sep 28, 2006 4:19 pm
by greenpee
Hi,
I have a form and I code Age and State as dropdown. But someone put a long line of script into them and got into my system successfully. Anyone has idea how can he do this? How can I block this?
Thanks,
Posted: Thu Sep 28, 2006 4:31 pm
by Maugrim_The_Reaper
Are you able to post the related code? If not a small overview of how it works would make offering advice more specific to your problem.
Posted: Thu Sep 28, 2006 4:36 pm
by greenpee
<select name="AGE">
<option value=''>-- Select one--</option>
<option value=1>under 20</option>
<option value=2>20-29</option>
<option value=3>30-39</option>
<option value=4>40-49</option>
<option value=5>50-59</option>
<option value=6>60-69</option>
<option value=7>over 70</option></select>
Posted: Thu Sep 28, 2006 4:38 pm
by volka
The code that processes the input is much more interesting here.
Posted: Thu Sep 28, 2006 4:40 pm
by greenpee
and he put
<script src=...>...</script>
I don't want to spread his link. It is .js but when I try to open it to read, it asked me to download
Posted: Thu Sep 28, 2006 4:46 pm
by greenpee
the process code:
$message=$message."AGE: $AGE";
mail($to,$subject,$message,$extra);
Posted: Thu Sep 28, 2006 4:51 pm
by mikesmith76
any validation done to any of the data passed to mail? where are these variables set? if you have register_globals turned on, turn it off
regarding your question
have a form and I code Age and State as dropdown. But someone put a long line of script into them and got into my system successfully
don't assume that because you have a dropdown on the form that the data can only be options in this dropdown. chances are someone is submitting directly to your form processor without ever looking at your form
bottom line - don't blindly accept user input without validation, ever.
Posted: Thu Sep 28, 2006 5:00 pm
by greenpee
Thanks. Good point.
I recorded $HTTP_REFERER and it is the right page(my page). how can he post to my form with a different form? do you think he built a page on his own server and post to my form?
Posted: Thu Sep 28, 2006 5:04 pm
by mikesmith76
could do - plus HTTP_REFERER is also user input, absolutely no requirement for it to be set at all. Also you said $HTTP_REFERER, do you by any chance have register_globals enabled?
This may be a good read, specifically the section on form processing
http://phpsec.org/projects/guide/
Posted: Sat Sep 30, 2006 7:49 pm
by brendandonhue
If age is supposed to be a number, use is_numeric() to make sure that's what the user has inputted.
Posted: Sun Oct 01, 2006 2:38 am
by Jeroen Oosterlaar
Bottom line is and will always be: validate all input from the outside world. If the input of a certain field should be numeric, then validate it as numeric. If it is not, return an error.