Contact Form Exploits

Michael Gray

By Michael Gray
In Programming  

Print Post Print Post Email Post Email Post    ADD TO STUMBLEUPON Sphinn It ADD TO DEL.ICIO.US  Tweet This

I’m currently having a major battle with one of my hosting companines about an exploit someone is running against a contact form on one of my sites (more about that another time). However I’m a firm believer in contact forms because they would be something people would look for to get a sense of trust in a website (see Google Trust and Librarians). Anyway if you run contact forms and scripts it may be worth taking a look at them, here’s a page with some tips for helping you protect yourself.

Popularity: 5% [?]

No related posts.

Crazyegg Link Tracking

{ 1 trackback }

planetOzh
February 13, 2006 at 5:04 am

{ 4 comments }

Dan February 11, 2006 at 2:13 pm

You mean the processing scripts were once considered secure before implementing code like that? (shakes head sorrowfully)

One sure fire way to secure a contact form script is to hard-code the outgoing email address(es). If a To:|CC:|BCC: address from the submission doesn’t match, 403 the request.

Administrator February 11, 2006 at 8:02 pm

Yep got caught with my pants down, learned a lesson the hard way.

Brian Combs February 14, 2006 at 11:47 am

I had this same problem last week. An updated version of the script seems to have solved the problem.

Sebastian February 15, 2006 at 9:22 am

Got hit hard too. My very helpful host fixed the scripts by adding a validation:

if (ereg(’^[_a-zA-Z0-9-]+(\.[_a-zA-Z0-9-]+)*@[a-zA-Z0-9-]+(\.[a-zA-Z0-9-]+)+$’,$emailFrom))
mail($emTo, $emSubject, $emMessage, $emHeaders,…

(hope the regex displays fine)

Comments on this entry are closed.