Knowledgebase: Shared Hosting
My contact form keeps having its name changed, whats happening?
Posted by Phil (Netcetera) on 07 January 2008 04:58 PM
We have recently been checking for PHP scripts that are vulnerable to attack as we have found that spammers are now targetting websites that have a contact.php or sendmail.php page and using these scripts to send out their spam.

The "hack" is a fairly basic one - The php mail() function takes parameters such as "to", "from", "subject" etc. The values for these parameters are passed in via a simple html form page.

However, if a spammer pastes in a whole load of email headers and spam into your fields they can effectively hijack your script to use it to spam countless others.

We have written a check utility which will find all contact.php and sendmail.php scripts on our servers and then examine them to see if the PHP mail function is used. If it is the script will be renamed contact.php.possibly_vulnerable_renamed_by_netcetera or sendmail.php.possibly_vulnerable_renamed_by_netcetera.

If we have renamed one of your files please follow the steps below to ensure it is as well coded as possible. Then rename it to something other than contact.php or sendmail.php and adjust the Form action in your html page. If you rename it back to contact.php or sendmail.php it will again be picked up by our check utility and renamed !!

We appreciate this course of action is inconvenient but the possible ramifications of us not acting are far greater. Individual servers and even complete IP ranges would be added to spam blocklists and no-one would be able to send email from our servers. Fixes ----- There are a number of "fixes" which we have found discussed on the web. Please do not contact us regarding fixing your scripts as we are unable to get involved in any coding/design issues.

1. Ensure the PHP script sets headers correctly.
- Make sure you end your headers with \r\n\r\n. Change $headers .= "From: " . $from . "\r\n";
To $headers .= "From: " . $from . "\r\n\r\n";

2. Filter form inputs for any unwanted strings eg bcc headers // Strip \r and \n from the email address $_POST['email'] = preg_replace("\r", "", $_POST['email']);
$_POST['email'] = preg_replace("\n", "", $_POST['email']);

// Remove injected headers $find = array("/bcc\:/i","/Content\-Type\:/i","/cc\:/i","/to\:/i");

$_POST['email'] = preg_replace($find, "", $_POST['email']);
$comments = preg_replace($find, "", comments);

3. Set a session on your form input page and check for this session in your PHP mailer. The spammers normally POST data straight to the PHP script so would be missing the session.

4. Check HTTP_REFERER values to ensure the data being posted to your PHP script has come from your form.

5. Don't call your script contact.php or sendmail.php or the form contact.htm. Spammers use automated systems to identify sites which have these files present.

6. There are others discussed but the most effective seem to be a combination of the above. We suggest using google groups and searching for terms like "PHP mail spammer contact.php". A good resource is available at : http://securephp.damonkohler.com/index.php/Email_Injection

Again, we apologise for any inconvenience caused and trust you understand why we have taken this course of action.
(1828 vote(s))
Helpful
Not helpful

Comments (0)
Post a new comment
 
 
Full Name:
Email:
Comments: