Hello! I've very little experience in script writing and my site was hacked recently. I perfomed a website audit and the result was that I had a vulnerability. They said I should filter metacharacters from user input but honestly I don't know how to do that.
They also mentioned that the problem was with the POST variable redirect.

Can someone please help me? This is part of the php script:

$template = new Template("templates/subscription_done");
$template->set_file("tpl_subscription_done", "subscription_done.tpl");
if (isset($redirect) && trim($redirect) <> "") {
$redirect = trim($redirect);
if (!eregi("https?://", $redirect)) $redirect = "http://$redirect";
$template->set_var("REDIRECT","<meta HTTP-EQUIV=\"REFRESH\" CONTENT=\"60; URL=$redirect\">");
$template->set_var("CONTINUE","<a href=\"$redirect\">Click here to continue</a>");
}

Thank you!!!

    Why is the redirect url sent as post data and not just hard coded?

    Also, you are using deprecated features:
    1. ereg
    2. meta refresh
    3. (possibly) auto register globals

      Thank you for answering, johanafm

      This script belongs to an autoresponder I bought several months ago. I haven´t changed anything to it but apparently I need to improve its security.

      if you could walk me through the process of what I have to change, I would be very much obliged. The problem is I don't know much about php or javascript so your answer is a bit too advanced for me.

      Could you please be so kind of helping me ?

        aloguerro;10934646 wrote:

        This script belongs to an autoresponder I bought several months ago.

        Contacting the vendor is your best option

          Write a Reply...