Hi DBMasters, et all,

I was hoping someone could comment on this. DBM and others suggested hard-coding my recipient email address into my php script as a measure to secure my forms, so I did so...I recently had an account suspended at HostPC while Joe investigated possible spam coming from my account.

Joe's initial take on this is that my email form was compromised, and used to target AOL and Hotmail users with spam.

Here's the script I used:

<?php
$ToName = "Dave";
$ToEmail = "xxxxxx";
$ToSubject = "xxxxxx";

$EmailBody = "Sent By: $SenderName\nFrom: $SenderEmail\nMessage Sent:\n$Email\n";

$EmailFooter="\nThis message was sent from: $SenderEmail from $REMOTE_ADDR";

$Message = $EmailBody.$EmailFooter;

mail($ToName." <".$ToEmail.">",$ToSubject, $Message, "From: ".$SenderName." <".$SenderEmail.">");

?>


Is it possible that this was simply another example of someone spoofing my domain onto their spam? This happened to me in incredible volumes a couple of years ago (300mb of bounces every two days).

All comments appreciated,

Dave.

I've posted full headers and logs in your helpdesk ticket which clearly show it was using your form - a compromise. You weren't alone, there were _many_ disabled on that day.

If that was your entire script, it would be INCREDIBLY easy to compromise.

Sender name and email are both put into the header, neither were validated in any way looking for illegal characters...so they put extra info into those fields to fake Bcc and Cc headers, easy as heck. Subject and To info could be injected as well...

Older versions of many scripts, my own included, are subject to this type of injection, as it's recently reached popularity of use. That is why it is very important to always keep your scripts updated to the most recent versions available...or, if you make your own, to study the use of these functions including possible vulnerabilities.

Originally posted by dbmasters@Nov 18 2005, 10:43 PM
If that was your entire script, it would be INCREDIBLY easy to compromise.

Sender name and email are both put into the header, neither were validated in any way looking for illegal characters...so they put extra info into those fields to fake Bcc and Cc headers, easy as heck. Subject and To info could be injected as well...

Older versions of many scripts, my own included, are subject to this type of injection, as it's recently reached popularity of use. That is why it is very important to always keep your scripts updated to the most recent versions available...or, if you make your own, to study the use of these functions including possible vulnerabilities.
Quoted post


Thanks Joe, DBMasters,

Crappity crap crap...seems like php might not have been the easiest thing to start learning, if my trial processes are so vulnerable. I'm definitely going to read up more on email form security issues.

Could you recommend a more secure email form script? DBM, do you have a current one I could use / borrow / learn from?

Are the email capabilities (forms) built in to Drupal more secure? We're running / setting up several Drupal installs, and were planning to use the built-in form scripts for contact forms.

Thanks,

Dave.

PHP, ASP, JSP, whatever, it doesn't matter, there is a learning curve to everything, it's not that PHP was the wrong thing to start learning with, it's concepts that you need to learn regardless of language.

dave - though there is no longer a link at the top of the page to dbMasters' Formmailer - It was and probably still is the only recommended e-mail form processor by HostPC.

Check it out at http://scripts.dbmasters.net