How to secure PHP forms?

Status
Not open for further replies.
Y

yevlesh

New member
Sep 12, 2006
169
1
0
Some asshole is sending spam through one of our servers. I looked through the mail server configuration and it seems secure enough. The only way I could see him getting in is through one of our contact forms. Many of them are PHP and haven't been updated for quite a while....

What's the best way to check whether or not the forms are secure and to secure them?
 


yevlesh said:
Some asshole is sending spam through one of our servers. I looked through the mail server configuration and it seems secure enough. The only way I could see him getting in is through one of our contact forms. Many of them are PHP and haven't been updated for quite a while....

What's the best way to check whether or not the forms are secure and to secure them?
Click to expand...

Generally speaking, if the recipient can be specified by the form-user then it's insecure. Usually I use a combination of dumb captcha ( what is four plus four? ), keeping the actual destination address out of the html/form (send a message to ... marketing!), and checking the html-referrer ( if the form submit isn't coming from te form ... it's bad ).
 
You need to check that there are no newlines in the from email address or subject line.
 
The recipient can't be specified in the form - that would make it too easy for them :) .

I will go and add referrer checking - great precaution.

Don't see any newlines in the from or subject line yet, but I am still looking the forms.

Is there any way to determine that the spamming is actually happening through the forms? I am speculating on that one, since I have no idea how else they could be getting in.
 
there are probably a hundred ways they could get in...

do you have any $_GET / $_POST vars being referenced anywhere without being cleaned first as it could be a url string injection..

have you checked your log files for any unusual activity..

like somebody said.. check for new lines in your form validation or check for multiple @ in the to email field...

if i was you i would take all your forms down until you have found the problem... if the problem still persists after you have taken them down you have your answer

hope it helps
 
The referrer can be easily spoofed by the bot. If the form is insecure, the newline check should solve the problem. I have webforms that were targetted (unsuccessfully) and what the bot tried to do was add BCC to the mail header via the from textbox. The textbox should only be one line, so this should be easy to catch.
 
Use the search feature above, or just read this previous thread

Why bother with CSS hiding form stuff, there is a form type hidden. Of course many bots car read html so that may not help. And as wdmny mentioned you can not trust the referrer.

You should also check for hex encoded strings (%[a-f0-9), BCC, CC, base64, content-type, multipart/mixed, multi-part message in mime format, to:.

With proper filtering and the session method mentioned in the above I have not had problems with form spamming. You should not be checking your forms for bad data, you should be checking that the data is good. There is a difference.
 
Status
Not open for further replies.
Top Bottom