hello.

due to my recent receipt of suspicious e-mail which apparently originated from my my domain / web server, and subsequent suspension of my account by my hosting provider because of reports he received from users complaints of that SPAM, i immediately suspected that someone exploited a vulnerability in the security of one of my apps, and used Cross Site Scripting to send SPAM w/ a Spoofing Attack.

feeling fairly confident that using the most up-to-date versions of apps such as phpbb2, WordPress, Nucleus (questioned that one - lacking experience), Joomla, and others, i didn't look there first, but looked instead at my own forms, but a check of those db's revealed no malicious code, or even any entries other than those legitimate db row entries-- but, i had more to go-- having several db's and forms, etc by now on this six-month-old server account.

having already informed my provider of the issue, and that i was not responsible for the SPAM, he reactivated the account, requesting that i resolve the issue asap. i forwarded him the headers from the SPAM and asked for his assistance in locating the problem. while i was investigating those db's, my provider contacted me, indicating that the problem was in my "contact us" form, which uses the following code residing on two separate pages:

// page 1
<?php
	print "
		<form method=\"post\" action=\"thanks.php\">
		<p>your e-mail:<br />
		<input type=\"text\" name=\"email\" size=\"40\" /></p>
		<p>message subject:<br />
		<input type=\"text\" name=\"subject\" size=\"40\" /></p>
		<p>message body:<br />
		<textarea name=\"message\" cols=\"50\" rows=\"10\"></textarea></p>
		<p><input type=\"hidden\" name=\"op\" value=\"send\" /></p>
		<p><input type=\"submit\" name=\"submit\" value=\"Send It\" /></p>
		</form>";
		?>
// page 2
<?php
$subject = $_POST['subject'];
$message = $_POST['message'];
$email = $_POST['email'];
$to= 'name@domain.com';

$headers = "From: $email";
mail("$to", $subject, $message,
		$headers);

	?>

now that i have more experience, i realize that there's potential for exploitation here, but i'm unsure of the best approach to making this a secure mail() form. in other words, which variable might i was to use addslashes(), htmlspecialchars(), etc.-- because i'm unsure of how a form like this is typically violated.

i appreciate any advice you have regarding this issue. thanks!

NOTE to mods: i was looking for a "security" category when i was trying to decide where to post this topic. i wonder if anyone else would agree that a "Security" category might be of benefit to everyone.

    The most important thing is to set the maximum size for input. For example if you set the max size of their first name to 25 chars there should be plenty of space for a name but not enough to run script. You can also you functions like strip_tags($str) which will strip both HTML and PHP tags from a string.

      hey, thanks! that's good advice! -- especially the max-size thing... i doubt i'd find that in any tutorial-- maybe, but doubful.
      😉

      should i feel confident then that this was most likely how the SPAM was sent to dupe as from my domain? i'm just trying to get peace of mind, and also-- to avoid doing more "newbie boobees" in the future.

      this is the abuse header shown in my g-mail source (as a recipient of the mail)

      X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
      X-AntiAbuse: Primary Hostname - dns.myhostingprovider.com
      X-AntiAbuse: Original Domain - gmail.com
      X-AntiAbuse: Originator/Caller UID/GID - [99 501] / [47 12]
      X-AntiAbuse: Sender Address Domain - dns.myhostingprovider.com
      X-Source:
      X-Source-Args: /usr/local/apache/bin/httpd -DSSL
      X-Source-Dir: adesigninteractive.com:/public_html

      Edit: i assume that i received these because my address is part of the headers (of my php form)?

        (sorry for double reply here.. but..)

        isn't there a technique which uses regular expressions to check for valid e-mail (valid whatever)? would anyone happen to have a URL for a good resource for learning how to use RegEx for checking forms (i'll google this, of course... something i've been meaning to research, among so many other things-- you know how it can be-- so much, so little time! ugh!)

        on the same topic-- then, what about the issue of Web Standards and Accessibility? shouldn't we avoid javascript as much as possible to maintain the most globally accessible code? is there an alternative or, maybe a better way to put it would be a "happy medium"?

          Write a Reply...