|
Posted by J.O. Aho on 01/10/06 11:42
Dan wrote:
>
> I had a php script running under Apache web server on a Debian Linux
> box. The script used a form to send me email using the 'mail'
> routine. Somehow a spammer managed to hijack the script to send spam.
>
> My first question I have, is how did he do it? I've included the
> script below.
> <?php
> }
> else // Second entry to this script, send email based on what was
> in the form.
> {
> $fromText = $_REQUEST['fromText'];
> $msgText = $_REQUEST['msgText'];
> mail( "some address@some domain.com", "Message",
> $msgText, "From: $fromText <$fromText>\n" );
> ?>
The problem is the $fromText, as the spammer can add Cc: and Bcc: to it and
get your script to send the spam to other people than you wanted it to be sent to.
http://www.php.net/manual/en/function.mail.php
> My second question is, how do I set up an -unhackable form and how do
> I test that it's safe? I don't want to have the email address on the
> web page.
You could remove the Cc: and Bcc:, here is a small example how you could do it
$fromText=ereg_replace("Bcc:","",$fromText);
An eregi_replace may be a better function to use.
http://www.php.net/manual/en/function.ereg-replace.php
http://www.php.net/manual/en/function.eregi-replace.php
//Aho
Navigation:
[Reply to this message]
|