Contact Form Exploits
Posted on February 11th, 2006by Michael Gray in Programming
If you're new here, you may want to subscribe to my RSS feed. Read my top posts or learn more about Michael Gray. Want more frequent updates follow me on Twitter. Thanks for visiting!
I’m currently having a major battle with one of my hosting companines about an exploit someone is running against a contact form on one of my sites (more about that another time). However I’m a firm believer in contact forms because they would be something people would look for to get a sense of trust in a website (see Google Trust and Librarians). Anyway if you run contact forms and scripts it may be worth taking a look at them, here’s a page with some tips for helping you protect yourself.
Sphere: Related Content
February 11th, 2006 at 2:13 pm
You mean the processing scripts were once considered secure before implementing code like that? (shakes head sorrowfully)
One sure fire way to secure a contact form script is to hard-code the outgoing email address(es). If a To:|CC:|BCC: address from the submission doesn’t match, 403 the request.
February 11th, 2006 at 8:02 pm
Yep got caught with my pants down, learned a lesson the hard way.
February 13th, 2006 at 5:04 am
PHP Contact Form Exploits and Protection
Anti spam tests for contact forms
…
February 14th, 2006 at 11:47 am
I had this same problem last week. An updated version of the script seems to have solved the problem.
February 15th, 2006 at 9:22 am
Got hit hard too. My very helpful host fixed the scripts by adding a validation:
if (ereg(’^[_a-zA-Z0-9-]+(\.[_a-zA-Z0-9-]+)*@[a-zA-Z0-9-]+(\.[a-zA-Z0-9-]+)+$’,$emailFrom))
mail($emTo, $emSubject, $emMessage, $emHeaders,…
(hope the regex displays fine)
February 17th, 2006 at 10:12 am
[...] Contact Form Exploits [...]