Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
Hello, I am a young web designer and a few clients have needed a contact form, I have one that I put together from a few creative commons scripts.
Now the sites that use the script are having a .tgz file show up on the server that is extracting to make a fake american express website. My clients were contacted by a phishing agency and I immediately had my host remove the tgz file and .americanexpress folder which was invisible from my ftp client from the site.
I desperately need help finding out what is uploading the tgz file and how it is extracting! Thanks so much for your help and I cant wait to become part of this community!
Here is the php script I have running on the sites:
First off THANK YOU for taking the time to help me out.... I'm really new to php (im only 21 years old) and I cannot have my clients be labeled as phishing sites!
This is the php script on the other site that has had this problem, it has some ajax funtionality & more fields.
Those are the only scripts on the sites. However my host believes it has to do with the scripts because those sites are on a server with a lot of sites that are not affected by this tgz file. What would the next step be? We have changed my ftp passwords and it happened again. Maybe my computer has a keylogger or some virus? I use mac OSX 10.4.11 for designing my sites.
No php includes that I saw in those scripts... I use this on my html page to call the script.
I see no vulnerabilities that could lead to someone uploading and extracting a .tgz from the code you've posted. Is there any other code that you're running than what you've posted?
Talk with your webhost and get the logfiles, maybe you can check the accesslog and determine which way they have breached your site. It's a bit of a hopeless task to try to figure out what's wrong if you can't find out the way they've entered.
Since all arguments of the mail() function are exploitable
In articles about email injection one usually only reads about header injection in the additional header parameter. Unfortunately this and the previous vulnerability proof that all parameters of the mail() function are suspect to email injection problems
Since a regular text field in a (contact) form may usually contain almost all characters. Including newlines. How do you prevent header injection in that field?
Well I have some javascript validation going on, not exactly the greatest since anyone could turn that off! How would I go about adding some more validation to the fields?
Client side validation can not be trusted, as requests can easily be sent directly to the PHP script. Client side validation is for user convience only, you should implement server side validation and filtering (ie, in PHP).