New, Confused and not sure if I am in the right spot.

[newgeek]

Hello Everyone!!!

Not sure if I am in the right spot to ask this question, but here goes... I am new to web design, and I have developed an online form for a client back in December of '06. Here is the URL http://businessconnectory.ca/contact.php

Now I am trying to learn about Hacking and Spam and such but apparently she is getting spam emails from her form (Several a day). She forwarded me a copy and the responses to the form are in a language I have never read before.

I use PHP for the form validation and there is an HTTP Referrer in there as well. Can this form be easily hacked to send spam.

Thanks for you help, and I am going to research some more.
:)D

[BillV]

Well,

Are you properly sanitizing all of the input that's going into the form fields? Removing characters you don't want in there and such. Also, I see you're using maxlength attributes.. are you also checking the length in your PHP code? The question box does not have the maxlength attribute set, but you could add it there as well. This is easily defeated though, which is why you need to check it in the PHP as well.

As for your spam issue, try adding a captcha.

Hope that helps.

[LSOChris]

i didnt check but is your mail server configured NOT to allow relaying?

[dean]

Hey Newgeek,

I'm not sure how you coded your php mailer but it looks like a standard form. I'm assuming that the code is something like the following:

$to = 'your friend's email addr';
$subject = 'blah blah';
$message = 'content ,etc...';
$headers = 'From: website@businessconnectory.ca' . "\r\n" .
'Reply-To: website@businessconnectory.ca' . "\r\n" .

If I'm wrong stop reading now.

Anyway the problem occurs with the using $_POST['subject']; for example.

This in and of itself is not a bad thing but the "\r\n" specifies a new line and lets the smtp server know another header is being sent. So what we, and by we I mean the spammer, can do is to enter something like

\r\nTo: guy@address.about.2.b.spammed.com; another address, etc...

in the subject field. This then gets interpreted as a new header and your form is now being used to send spam.

Venom77 is right and you need to make sure that your code is sanitizing the input. Use a regular expression and validate the input and strip out unwanted characters. Replace all characters that are not alphanumeric or spaces.

I would also make sure that you check the "tell a friend" form.

BTW your Keyword search field is susceptible to XSS.

http://businessconnectory.ca/display_results.php?key=Search&search=%3Cscript%3Ealert(%22test%22)%3C/script%3E&found=keyword

HTH,
dean

[oneeyedcarmen]

BTW your Keyword search field is susceptible to XSS.

Looks like you ARE in the right spot!