Posted by J.O. Aho on 01/10/06 11:42

Dan wrote:
>
> I had a php script running under Apache web server on a Debian Linux
> box. The script used a form to send me email using the 'mail'
> routine. Somehow a spammer managed to hijack the script to send spam.
>
> My first question I have, is how did he do it? I've included the
> script below.
> <?php
> }
> else // Second entry to this script, send email based on what was
> in the form.
> {
> $fromText = $_REQUEST['fromText'];
> $msgText = $_REQUEST['msgText'];
> mail( "some address@some domain.com", "Message",
> $msgText, "From: $fromText <$fromText>\n" );
> ?>

The problem is the $fromText, as the spammer can add Cc: and Bcc: to it and
get your script to send the spam to other people than you wanted it to be sent to.

http://www.php.net/manual/en/function.mail.php


> My second question is, how do I set up an -unhackable form and how do
> I test that it's safe? I don't want to have the email address on the
> web page.

You could remove the Cc: and Bcc:, here is a small example how you could do it

$fromText=ereg_replace("Bcc:","",$fromText);

An eregi_replace may be a better function to use.

http://www.php.net/manual/en/function.ereg-replace.php
http://www.php.net/manual/en/function.eregi-replace.php


//Aho

[Back to original message]