|
Posted by Tyrone Slothrop on 09/08/05 16:52
On Thu, 8 Sep 2005 13:11:11 +0000 (UTC), "Neil McDermott"
<neil.mcdermott@easiserv.com> wrote:
>Hello,
>
>I hope someone can help.
>
>I use a php form to process contact forms on my web sites. Recently I have
>been receiving lots of strange data coming through the contact forms like
>this :
>
>NB. mysite = the actual site that the contact form is on.
>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>
>From: qsukgmtfqg@mysiteco.uk add to address book
>Return-Path: mysite.co.uk@hosts.co.uk add to blacklist add to whitelist
>Delivery-Date: Thursday, September 8, 2005 2:57 AM
>To: mark@mysite.co.uk
>Subject: Information request
>
>show headers | download source | printable view | back to folder | next
>message Spam score: 0
>
>
>Name : qsukgmtfqg@mysite.co.uk
>
>
>
>Phone : qsukgmtfqg@mysiteco.uk
>
>
>
>Email : qsukgmtfqg@mysiteco.uk
>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>
>It spoofs the address of the site that the contact form is on. This has
>happened accross every site that the form is on so I am guessing their is a
>vulnaribility in the script below . Can anyone help please?
>
>
>php Contact script used >>>>>>>>>>>>>>>>>>>>>>>>>>>>
>
>
><?
>$name=$_POST['name'];
>$phone=$_POST['phone'];
>$email=$_POST['email'];
>$query=$_POST['query'];
>$to="enquiries@mysite.co.uk";
>$from="$email";
>$message="Customer Name : $name\n\n
>Phone : $phone\n\n
>Email Address : $email\n\n
>Query : $query\n";
>if (mail($to, "Customer Information", "$message\n", "From: $from"))
>{$URL="http://www.mysite..co.uk/thankyou.php";header ("Location: $URL");
>} else {
>echo "There was a problem sending the mail. Please check that you filled in
>the form correctly.";
>}
>?>
>
>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>
>Any help would be greatly appreciated. I am no php expert , I simply
>adjusted a form I found on a php tutorial site.
>
>Thank you in advance,
>
>Neil
You can do something fairly simple to make sure the form is submitted
from the site where it resides:
if (!strstr($_SERVER['HTTP_REFERER'], 'mysite.co.uk')) {
exit ("Invalid referrer");
}
[Back to original message]
|