I’m currently having a major battle with one of my hosting companines about an exploit someone is running against a contact form on one of my sites (more about that another time). However I’m a firm believer in contact forms because they would be something people would look for to get a sense of trust in a website (see Google Trust and Librarians). Anyway if you run contact forms and scripts it may be worth taking a look at them, here’s a page with some tips for helping you protect yourself.
Popularity: 5% [?]
No related posts.
{ 1 trackback }
{ 4 comments }
You mean the processing scripts were once considered secure before implementing code like that? (shakes head sorrowfully)
One sure fire way to secure a contact form script is to hard-code the outgoing email address(es). If a To:|CC:|BCC: address from the submission doesn’t match, 403 the request.
Yep got caught with my pants down, learned a lesson the hard way.
I had this same problem last week. An updated version of the script seems to have solved the problem.
Got hit hard too. My very helpful host fixed the scripts by adding a validation:
if (ereg(’^[_a-zA-Z0-9-]+(\.[_a-zA-Z0-9-]+)*@[a-zA-Z0-9-]+(\.[a-zA-Z0-9-]+)+$’,$emailFrom))
mail($emTo, $emSubject, $emMessage, $emHeaders,…
(hope the regex displays fine)
Comments on this entry are closed.