The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Is this vulnerable

Discussion in 'General Discussion' started by Marty, Apr 25, 2005.

  1. Marty

    Marty Well-Known Member

    Joined:
    Oct 10, 2001
    Messages:
    630
    Likes Received:
    1
    Trophy Points:
    18
    This is a php script on a clients site to process their forms to send email:

    PHP:
    <?
    $adminaddress $HTTP_POST_VARS['sendemail'] ;
    $siteaddress ="http://www.test.com";
    $sitename "test";

    //No need to change anything below ...
    // Gets the date and time from your server
    $date date("m/d/Y H:i:s");

    // Gets the POST Headers - the Flash variables
    $email $HTTP_POST_VARS['email'] ;
    $name $HTTP_POST_VARS['name'] ;
    $comments $HTTP_POST_VARS['message'] ;
    $subject $HTTP_POST_VARS['subject'] ;
    $phone $HTTP_POST_VARS['phone'] ;
    //$city = $HTTP_POST_VARS['city'] ;
    //$edate = $HTTP_POST_VARS['date'] ;

    //Process the form data!
    // and send the information collected in the Flash form to Your nominated email address

        
    mail("$email",
         
    "$siteaddress-Confirmation Email",
        
    "We have received your form successfully. We will contact you soon.
        Thank you."
    ,
        
    "From: $adminaddress""-f $adminaddress");


            
    mail ("$adminaddress","$sitename - $subject",
            
    "A visitor at $sitename has left the following information\n
            Name: 
    $name
            Subject: 
    $subject
            Email: 
    $email


            The visitor commented:
            ------------------------------
            
    $comments

        "
    ,"From: $email""-f $email")

    ?>
    Wouldn't this script be vulnerable to spammers that could easily send a "post" to that file with any email address they want? I am pretty good with php and believe that this script is vulnerable, but since the script is used by a pretty large design firm, I want to make sure before I take it up with them.
     
  2. webignition

    webignition Well-Known Member

    Joined:
    Jan 22, 2005
    Messages:
    1,880
    Likes Received:
    0
    Trophy Points:
    36
    Yep, you're right

    That script is vulnerable in the exact way you describe.

    Assuming that the page that posts data to this script is PHP generated, a quick way of adding a little security would be to set a session variable on the preceding page which would then be checked in the above script. If the session variable is not set, no mail is sent.

    You might also want to replace all occurrences of $HTTP_POST_VARS with $_POST as $HTTP_POST_VARS is deprecated and might disappear in future versions of PHP.
     
  3. Marty

    Marty Well-Known Member

    Joined:
    Oct 10, 2001
    Messages:
    630
    Likes Received:
    1
    Trophy Points:
    18
    That is what I thought. I didn't create that script, so I am going to have to contact the webdesigner that did. I host several of their clients sites, so this is going to be a pain.
     
  4. webignition

    webignition Well-Known Member

    Joined:
    Jan 22, 2005
    Messages:
    1,880
    Likes Received:
    0
    Trophy Points:
    36
    Well, it might be tricky if you expect the web designer in question to fix these issues for free as the script is not functionally fault, just a bit suspect on the security side of things.

    If you'll have to pay the web designer to fix these issues, give me a shout if you need a hand as I might be cheaper, and I always keep an eye out for such security weaknesses!
     
  5. Marty

    Marty Well-Known Member

    Joined:
    Oct 10, 2001
    Messages:
    630
    Likes Received:
    1
    Trophy Points:
    18
    Well, I won't have to pay the designer as I am not their customer. My customers are their customer. I am just the host. My clients have used this designer, so I will be contacting clients so they can contact the designer.
     
  6. webignition

    webignition Well-Known Member

    Joined:
    Jan 22, 2005
    Messages:
    1,880
    Likes Received:
    0
    Trophy Points:
    36
    Fair enough, that makes sense!

    Lets just hope things don't get tricky if your customer doesn't want to update their scripts.

    Good luck.
     

Share This Page