Posted by juglesh on 01/10/06 12:41

J.O. Aho wrote:
> Dan wrote:
> >
> > I had a php script running under Apache web server on a Debian Linux
> > box. The script used a form to send me email using the 'mail'
> > routine. Somehow a spammer managed to hijack the script to send spam.
> >
> > My first question I have, is how did he do it? I've included the
> > script below.
> > <?php
> > }
> > else // Second entry to this script, send email based on what was
> > in the form.
> > {
> > $fromText = $_REQUEST['fromText'];
> > $msgText = $_REQUEST['msgText'];
> > mail( "some address@some domain.com", "Message",
> > $msgText, "From: $fromText <$fromText>\n" );
> > ?>
>
> The problem is the $fromText, as the spammer can add Cc: and Bcc: to it and
> get your script to send the spam to other people than you wanted it to be sent to.
>
> http://www.php.net/manual/en/function.mail.php
>
>
> > My second question is, how do I set up an -unhackable form and how do
> > I test that it's safe? I don't want to have the email address on the
> > web page.
>
> You could remove the Cc: and Bcc:, here is a small example how you could do it
>
> $fromText=ereg_replace("Bcc:","",$fromText);

$find =
array("/bcc\:/i","/Content\-Type\:/i","/cc\:/i","/to\:/i","/MIME\-Version\:/i");

$fromText= preg_replace($find, "", $fromText);

[Back to original message]