PDA

View Full Version : PHP Guru's php formmail HELP!!


kona72
04-23-2006, 07:57 PM
Ok, so i have been using the same basic php form page all in one type combo on all of my sites (alot!) I just got word from my host this afternoon that the form is being exploited to send out a bunch of spam and had to be removed. I need a fix for this, i am by no means a php security expert and could really use some pointers on this...

here is the page. I really appreciate this!!!!

<?php

if(isset($Submit))
{
if($name != "" && $email != "")
{
$message = "Subject Header:


Name: $name

Last Name: $lastname

Location: $where

Phone Number: $number

Email: $email2

Subject: $subject

Your Message: $message";

$headers = "MIME-Version: 1.0\n";
$headers .= "Content-Type: text/html; charset=iso-8859-1\n";
$headers .= "From: <$email>\n";
$headers .= "Reply-To: <$email>\n";

mail("someone@somewhere.com,$email", "Subject of email", $message, $headers);


header("Location: thanks.htm");
}
else
{
$error = "y";
}
}
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>Untitled Document</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>

<body>
<?php

if($error == "y")
{
echo "<font color=#666666 size=2 face=Verdana, Arial, Helvetica, sans-serif>You must fill in the name and e-mail.";
exit;
}
?>




<form name="contact" action="contact.php" method="post">
<table width="409" border="0" cellspacing="0" cellpadding="0">
<tr align="left" valign="top">
<td width="113">First Name :


</td>
<td width="296"><input name="name" type="text" id="firstname2">

</td>
</tr>
<tr align="left" valign="top">
<td>Last Name:
</td>
<td width="296"><input name="lastname" type="text" id="lastname">

</td>
</tr>
<tr align="left" valign="top">
<td> Location:</td>
<td><input name="location" type="text" id="where2">
(country&amp; city)
</td>
</tr>
<tr align="left" valign="top">
<td>Phone Number:
</td>
<td><input name="number" type="text" id="number2">

</td>
</tr>
<tr align="left" valign="top">
<td>E-Mail Address:
</td>
<td> <input name="email2" type="text" id="email2">

</td>
</tr>
<tr align="left" valign="top">
<td>Subject:
</td>
<td><input name="subject" type="text" id="subject">

</td>
</tr>
<tr align="left" valign="top">
<td>Your Message: </td>
<td><textarea name="message" class="style10" id="message"></textarea>

</td>
</tr>
<tr align="left" valign="top">
<td></td>
<td></td>
</tr>
</table>
<blockquote>
<p align="left" class="style3">

<input name="Submit" type="submit" id="Submit" value="Send" />
<input type="reset" name="Submit2" value="Reset">
</p>
</blockquote>
</form>
</body>
</html>

domedia
04-23-2006, 08:49 PM
I just got word from my host this afternoon that the form is being exploited to send out a bunch of spam and had to be removed. I need a fix for this, i am by no means a php security expert and could really use some pointers on this...What was exploited on the form? No fix unless you can say what's needs fixing ;)

kona72
04-23-2006, 08:59 PM
No sure yet. I emailed my host and asked but they haven't respond but will let you know when they do. Can you see any 'glaring' security flaws as is?

davidj
04-24-2006, 12:20 PM
what is this email script used for?

is it a contact script where the TO address is always the same

kona72
04-24-2006, 01:30 PM
The 'To' Address is always the same but i also have it sending a copy to the '$email2' sender as well.

davidj
04-24-2006, 01:33 PM
cant find $email2' in your script

please post your script

kona72
04-24-2006, 02:02 PM
This is the portion of the script that does the 'work'

<?php

if(isset($Submit))
{
if($name != "" && $email != "")
{
$message = "Subject Header:


Name: $name

Last Name: $lastname

Location: $where

Phone Number: $number

Email: $email2

Subject: $subject

Your Message: $message";

$headers = "MIME-Version: 1.0\n";
$headers .= "Content-Type: text/html; charset=iso-8859-1\n";
$headers .= "From: <$email>\n";
$headers .= "Reply-To: <$email>\n";

mail("someone@somewhere.com,$email2", "Subject of email", $message, $headers);


header("Location: thanks.htm");
}
else
{
$error = "y";
}
}
?>

davidj
04-24-2006, 03:32 PM
ok

found this below...
try this as an include after the if(isset($Submit)) {
read the comments...
This script requires your html form to use action="post". Make sure this is only used on the script that the html form will be posted to. If you use this script on a regular page request, it will die().


<?php
// First, make sure the form was posted from a browser.
// For basic web-forms, we don't care about anything
// other than requests from a browser:
if(!isset($_SERVER['HTTP_USER_AGENT'])){
die("Forbidden - You are not authorized to view this page");
exit;
}

// Make sure the form was indeed POST'ed:
// (requires your html form to use: action="post")
if(!$_SERVER['REQUEST_METHOD'] == "POST"){
die("Forbidden - You are not authorized to view this page");
exit;
}

// Host names from where the form is authorized
// to be posted from:
$authHosts = array("domain.com", "domain2.com", "domain3.com");

// Where have we been posted from?
$fromArray = parse_url(strtolower($_SERVER['HTTP_REFERER']));

// Test to see if the $fromArray used www to get here.
$wwwUsed = strpos($fromArray['host'], "www.");

// Make sure the form was posted from an approved host name.
if(!in_array(($wwwUsed === false ? $fromArray['host'] : substr(stristr($fromArray['host'], '.'), 1)), $authHosts)){
logBadRequest();
header("HTTP/1.0 403 Forbidden");
exit;
}

// Attempt to defend against header injections:
$badStrings = array("Content-Type:",
"MIME-Version:",
"Content-Transfer-Encoding:",
"bcc:",
"cc:");

// Loop through each POST'ed value and test if it contains
// one of the $badStrings:
foreach($_POST as $k => $v){
foreach($badStrings as $v2){
if(strpos($v, $v2) !== false){
logBadRequest();
header("HTTP/1.0 403 Forbidden");
exit;
}
}
}

// Made it past spammer test, free up some memory
// and continue rest of script:
unset($k, $v, $v2, $badStrings, $authHosts, $fromArray, $wwwUsed);
?>