Re: contact.php hacking

**-Oz-** · 11-17-2005, 12:32 PM

true, but those seem to require real works, mine is defintely not real words. That is hwy you need both images and to "scrub" the headers.

**Andy** · 11-17-2005, 01:52 PM

Andrew

I had this problem for a few days on my site, and submitted a ticket on Sept. 27, 2005.

I submitted a ticket 13363 if you want to look over.

**AndrewT** · 11-17-2005, 01:55 PM

Your issue would be the same as has been described in this thread and the other thread. You need to secure your script.

**Andy** · 11-17-2005, 01:58 PM

I am aware of that. I have that same script on a few sites. I really like the script. but I will just get rid of it, and find something else. I will remove the scripts from the sites tonight.

**-Oz-** · 11-17-2005, 10:30 PM

Originally posted by Andy

I am aware of that. I have that same script on a few sites. I really like the script. but I will just get rid of it, and find something else. I will remove the scripts from the sites tonight.

Why not just add a bit of code to the script you like?

**jlarson** · 11-18-2005, 02:29 AM

catching the bad guys??

Originally posted by Pedja

You know, I am asking myself, will the day come, when someone would say "Enough is enough!" and start taking spam as serious criminal activity and also pay attention to ISP's that alow their systems to be used to make atacks.

As long as abuse is not sanctioned properly we will all suffer. Solution is not to prevent them to do it, but to punishing them when they do it.

A thought occurred to me while reading this thread, feeling annoyed like everyone else, I'm sure: is there nothing to be done to catch the culprit(s) and put together a class-action lawsuit? I know nothing about this at all, so this might be a futile thought, but is there any way to lay a trap--i.e. set up a "vulnerable" script that pretends to send email, but actually serves to collect information from an attacker? I suppose going all the way through with a class action is not worth the hassle, especially if the attacks are coming from outside the U.S. But even letting attackers know they are being watched can't hurt, can it? Obviously I'm not suggesting this as an alternative to securing vulnerable scripts, but just wondering if we are limited to defense only.

**cathode** · 11-18-2005, 07:35 AM

If anyone wants this flash email form and the corresponding php form, I'll make it available: http://www.ianlabs.com/contact/
Of course you'll have to edit it to suit your needs.

I'm no programmer, but the way I figure it, a spam bot surfing the page will not know what to do with the flash code.

**-Oz-** · 11-18-2005, 09:15 AM

Originally posted by cathode

If anyone wants this flash email form and the corresponding php form, I'll make it available: http://www.ianlabs.com/contact/
Of course you'll have to edit it to suit your needs.

I'm no programmer, but the way I figure it, a spam bot surfing the page will not know what to do with the flash code.

I don't want the code cuz I like my code but I really like the form. Its very slick.

**ChrisTech** · 11-18-2005, 10:49 AM

Originally posted by cathode

If anyone wants this flash email form and the corresponding php form, I'll make it available: http://www.ianlabs.com/contact/
Of course you'll have to edit it to suit your needs.

I'm no programmer, but the way I figure it, a spam bot surfing the page will not know what to do with the flash code.

If you do make it public, I'd take it for at least one site I have. Looks nice to me.

**RollinD** · 11-18-2005, 01:32 PM

I'm getting kind of confused, so before I continue trying to get all of this, I thought I'd ask two quick questions.

Do we still need to implement anti-spam images even with the mod_security thing be installed on all servers?

Do we have to run anything for the mod_security mail injection filters to start working, or are they automatically implemented?

Thanks,
Danny

**AndrewT** · 11-18-2005, 01:52 PM

mod_security works automatically for every page that is served via HTTP.

You still need to modify your scripts and secure them. Depending on mod_security to do this for you is entirely the wrong way to be going about this.

The reason I've always been hesitant in even running mod_security is because it is the wrong solution IMO. These problems need to be fixed entirely, not just denied access to by mod_security.

**RollinD** · 11-18-2005, 02:12 PM

Allright.. thanks Andrew for clearing that up..

**cathode** · 11-18-2005, 02:18 PM

Download the flash feedback form source here:

http://www.ianlabs.com/temp/flashfeedbackform.zip

If a PHP guy could be so kind as to modify the script below to include the IP address and any other details about the poster, I would consider it a nice fair trade

Code:

<?
if(!empty($HTTP_POST_VARS['sender_mail']) || !empty($HTTP_POST_VARS['sender_message']) || !empty($HTTP_POST_VARS['sender_subject']) || !empty($HTTP_POST_VARS['sender_name']))
{
	$to = "you@email.com";
	$subject = stripslashes($HTTP_POST_VARS['sender_subject']);
	$body = stripslashes($HTTP_POST_VARS['sender_message']);
	$body .= "\n\n---------------------------\n";
	$body .= "Mail sent by: " . $HTTP_POST_VARS['sender_name'] . " <" . $HTTP_POST_VARS['sender_mail']  . ">\n";
	$body .= "Website: " . $HTTP_POST_VARS['sender_website'] . "\nPhone:" . $HTTP_POST_VARS['sender_phone']  . "\n";
	$header = "From: " . $HTTP_POST_VARS['sender_name'] . " <" . $HTTP_POST_VARS['sender_mail'] . ">\n";
	$header .= "Reply-To: " . $HTTP_POST_VARS['sender_name'] . " <" . $HTTP_POST_VARS['sender_mail'] . ">\n";
	$header .= "X-Mailer: PHP/" . phpversion() . "\n";
	$header .= "X-Priority: 1";
	if(@mail($to, $subject, $body, $header))
	{
		echo "output=sent";
	} else {
		echo "output=error";
	}
} else {
	echo "output=error";
}
?>

**willy** · 11-18-2005, 02:55 PM

Is anyone familiar with CoffeeCup FormBuilder? According to CoffeeCup:

"Our program uses a custom php script that can only be used inside our program. There is no way a spammer can use it to cause any damage."

**-Oz-** · 11-18-2005, 07:57 PM

cathode,

this should work for ya:

Code:

<?
if(!empty($HTTP_POST_VARS['sender_mail']) || !empty($HTTP_POST_VARS['sender_message']) || !empty($HTTP_POST_VARS['sender_subject']) || !empty($HTTP_POST_VARS['sender_name']))
{
	$to = "you@email.com";
	$subject = stripslashes($HTTP_POST_VARS['sender_subject']);
	$body = stripslashes($HTTP_POST_VARS['sender_message']);
	$body .= "\n\n---------------------------\n";
	$body .= "Mail sent by: " . $HTTP_POST_VARS['sender_name'] . " <" . $HTTP_POST_VARS['sender_mail']  . ">\n";
	$body .= "Website: " . $HTTP_POST_VARS['sender_website'] . "\nPhone:" . $HTTP_POST_VARS['sender_phone']  . "\n";
	$body .= "IP Address: " . $HTTP_SERVER_VARS['REMOTE_ADDR']  . "\n";
	$header = "From: " . $HTTP_POST_VARS['sender_name'] . " <" . $HTTP_POST_VARS['sender_mail'] . ">\n";
	$header .= "Reply-To: " . $HTTP_POST_VARS['sender_name'] . " <" . $HTTP_POST_VARS['sender_mail'] . ">\n";
	$header .= "X-Mailer: PHP/" . phpversion() . "\n";
	$header .= "X-Priority: 1";
	if(@mail($to, $subject, $body, $header))
	{
		echo "output=sent";
	} else {
		echo "output=error";
	}
} else {
	echo "output=error";
}
?>

Re: contact.php hacking

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment