|
|
Posted by Dan N on 01/11/06 08:09
On Tue, 10 Jan 2006 15:24:07 +0800, Dan wrote:
Thanks for the replies, makes sense.
Is there some way to do what I want to do without exposing the "send to"
email address on the web page?
Dan
>
>
> I had a php script running under Apache web server on a Debian Linux box.
> The script used a form to send me email using the 'mail' routine. Somehow
> a spammer managed to hijack the script to send spam.
>
> My first question I have, is how did he do it? I've included the script
> below.
>
> My second question is, how do I set up an -unhackable form and how do I
> test that it's safe? I don't want to have the email address on the web
> page.
>
>
> (Sorry about the way that my news reader has formatted this.) <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html;
> charset=windows-1252">
> <title>Contact Ilsa Sharp</title>
> </head>
>
> <body bgcolor="#666633" text="#FFFFFF" link="#FFFFFF" vlink="#FFFFFF"
> alink="#FFFFFF" topmargin="10" leftmargin="10" marginwidth="0"
> marginheight="0">
>
> <?php
> $state = $_REQUEST['state'];
>
> if ($state == "") // First entry, state not yet defined. {
> ?>
>
> <p> </p>
>
> <!-- Form for sender's email address and messge. --> <form
> method="POST" action="<?php echo($PHP_SELF)?>" >
> <p><font face="Arial" size="3"><b>Your Email Address:</b></font></p>
> <p><font face="Arial" size="3"><b>
> <input type="text" name="fromText" size="40" maxlength="40">
> </b></font></p>
> <p><font face="Arial" size="3"><b>Message Text:</b></font></p> <p><font
> face="Arial" size="3"><b>
> <textarea name="msgText" cols="40" rows="10"></textarea>
> </b></font></p>
>
> <p><font face="Arial" size="3"><b>
> <input type="hidden" name="state" value="1"> <!-- Change the state
> for the next entry to this script. -->
> <input type="submit" value="Send" name="send" style="font-family:
> Arial; font-size: 12pt; font-weight: bold">
> </b></font></p>
> <p> </p>
> </form>
>
> <?php
> }
> else // Second entry to this script, send email based on what was
> in the form.
> {
> $fromText = $_REQUEST['fromText'];
> $msgText = $_REQUEST['msgText'];
> mail( "some address@some domain.com", "Message",
> $msgText, "From: $fromText <$fromText>\n" );
> ?>
> <p> </p>
> <p> </p>
>
> <p align="center">Your message was successfully
> sent.</p>
> <h2 align="center"><a href="index.html">Home</a></h2>
>
> <?php
> }
> ?>
>
> </body>
> </html>
[Back to original message]
|