|
Posted by Dan on 01/10/06 09:24
I had a php script running under Apache web server on a Debian Linux
box. The script used a form to send me email using the 'mail'
routine. Somehow a spammer managed to hijack the script to send spam.
My first question I have, is how did he do it? I've included the
script below.
My second question is, how do I set up an -unhackable form and how do
I test that it's safe? I don't want to have the email address on the
web page.
(Sorry about the way that my news reader has formatted this.)
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<title>Contact Ilsa Sharp</title>
</head>
<body bgcolor="#666633" text="#FFFFFF" link="#FFFFFF" vlink="#FFFFFF"
alink="#FFFFFF" topmargin="10" leftmargin="10" marginwidth="0"
marginheight="0">
<?php
$state = $_REQUEST['state'];
if ($state == "") // First entry, state not yet defined.
{
?>
<p> </p>
<!-- Form for sender's email address and messge. -->
<form method="POST" action="<?php echo($PHP_SELF)?>" >
<p><font face="Arial" size="3"><b>Your Email Address:</b></font></p>
<p><font face="Arial" size="3"><b>
<input type="text" name="fromText" size="40" maxlength="40">
</b></font></p>
<p><font face="Arial" size="3"><b>Message Text:</b></font></p>
<p><font face="Arial" size="3"><b>
<textarea name="msgText" cols="40" rows="10"></textarea>
</b></font></p>
<p><font face="Arial" size="3"><b>
<input type="hidden" name="state" value="1"> <!-- Change the state
for the next entry to this script. -->
<input type="submit" value="Send" name="send" style="font-family:
Arial; font-size: 12pt; font-weight: bold">
</b></font></p>
<p> </p>
</form>
<?php
}
else // Second entry to this script, send email based on what was
in the form.
{
$fromText = $_REQUEST['fromText'];
$msgText = $_REQUEST['msgText'];
mail( "some address@some domain.com", "Message",
$msgText, "From: $fromText <$fromText>\n" );
?>
<p> </p>
<p> </p>
<p align="center">Your message was successfully
sent.</p>
<h2 align="center"><a href="index.html">Home</a></h2>
<?php
}
?>
</body>
</html>
Navigation:
[Reply to this message]
|