Posted by Zoe Brown on 09/08/05 16:53

"Neil McDermott" <neil.mcdermott@easiserv.com> wrote in message
news:dfpd9c$2cv$1@nwrdmz02.dmz.ncs.ea.ibs-infra.bt.com...
> Hello,
>
> I hope someone can help.
>
> I use a php form to process contact forms on my web sites. Recently I have
> been receiving lots of strange data coming through the contact forms like
> this :
>
> NB. mysite = the actual site that the contact form is on.
>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>
> From: qsukgmtfqg@mysiteco.uk add to address book
> Return-Path: mysite.co.uk@hosts.co.uk add to blacklist add to whitelist
> Delivery-Date: Thursday, September 8, 2005 2:57 AM
> To: mark@mysite.co.uk
> Subject: Information request
>
> show headers | download source | printable view | back to folder | next
> message Spam score: 0
>
>
> Name : qsukgmtfqg@mysite.co.uk
>
>
>
> Phone : qsukgmtfqg@mysiteco.uk
>
>
>
> Email : qsukgmtfqg@mysiteco.uk
>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>
> It spoofs the address of the site that the contact form is on. This has
> happened accross every site that the form is on so I am guessing their is
> a vulnaribility in the script below . Can anyone help please?
>
>
> php Contact script used >>>>>>>>>>>>>>>>>>>>>>>>>>>>
>
>
> <?
> $name=$_POST['name'];
> $phone=$_POST['phone'];
> $email=$_POST['email'];
> $query=$_POST['query'];
> $to="enquiries@mysite.co.uk";
> $from="$email";
> $message="Customer Name : $name\n\n
> Phone : $phone\n\n
> Email Address : $email\n\n
> Query : $query\n";
> if (mail($to, "Customer Information", "$message\n", "From: $from"))
> {$URL="http://www.mysite..co.uk/thankyou.php";header ("Location: $URL");
> } else {
> echo "There was a problem sending the mail. Please check that you filled
> in the form correctly.";
> }
> ?>

sounds like you need to add some validation to prevent this. You can check
the form fields either on the client side or server side and if they are
garbage then reject and do not send the form.

[Back to original message]