Jump to content

Insecure Mail Form Scripts


tfcasso
 Share

Recommended Posts

Hi all,

 

Completely and utterly out of my depth here. I keep getting the message below from totalchoice and I'm not sure it's something I should be concerned about (I think they sent it to everyone). I don't THINK I installed any scripts but I do have a few e-mail accounts (like webmaster@tfcassociation.org) that I set up through my cpanel. Does that use the scripts they are referring to? I think there's a form to send comments as well (it was a default set up in frontpage and I never really got it to work right), would that be a problem? I know I sound like a complete idiot but if I'm opening them up to hackers, I want to correct the problem. I tried looking in my public_html folder and I see some mail-related things in there but I don't know if they're the scripts they're talking about in the paragraph below or something that's supposed to be there. I'm happy to remove any possible threat but I just don't know enough to know what one is when I'm looking at it. Thanks!

 

Erika

 

 

We have seen a huge increase in the amount of exploited form mail

scripts taking place on our servers. The attackers are using insecure

form mail scripts to send out spam from the client's web site. It is

critical that you maintain a safe and secure account by continually

keeping your scripts up to date and secure. Please take a moment to

review your account contents. If you're using mail form scripts and are

unsure of their security you should immediately remove them from your

account. Unused scripts that reside in your public_html folder are

still accessible to the public and can be used at any time if they are

found. In regards to your in use scripts, please check them for

security. If you're unsure on how to do this you should contact the

script creator as we can not provide assistance on coding or scripts.

Link to comment
Share on other sites

Hi Erika-

I think what they are talkign about is that many TCH clients use PHP and other types of scripts that are used to send email from their websites.

 

TCH wants to make sure you are securing these scripts so that hackers cannot write code that inserts their own mail headers into YOUR function to send THEIR spam.

 

If you havent written any custom code or had anyone else do it for you, I don't think you have anythign to worry about. :yes:

Link to comment
Share on other sites

Welcome to the forums Erika

 

The email was sent to everyone. If you have a contact form where people can fill in information it is your responsibility to make sure the script processing your form is secure and does not allow injection headers to be inserted.

 

A secure form processor such as Ultimate Form Mail should be used.

Link to comment
Share on other sites

Erika-

Don't forget that just plain old 'mailto:' email links are an invitation to spammers.

 

I'd suggest use the form mail script that was posted to make sure it is secured.

 

Sarah

Link to comment
Share on other sites

I've got a question about this Ultimate Form Mail - I'm Q'ing up the upload right now and I notice there's a file in there called "contact.php".

 

Isn't this what was just filtered out and then reinstated? So if the problem happens again, this script isn't going to work either, is it?

 

Anybody know if there's a way to rename that file to something else? Something that won't get filtered the next time the spammers run amok? You know how those pesky spammers are... they never give up. <_<

Link to comment
Share on other sites

Hi Iki,

 

You can rename contact.php to anything you like. If you take a look at the files included with that script, you will see several named contact. These are just sample forms that point the mailit script.

You can view the online documentation at www.surefirewebdesign.com/scripts/docs/

which includes a breakdown of all the files.

Link to comment
Share on other sites

Hi Iki,

 

You can rename contact.php to anything you like. If you take a look at the files included with that script, you will see several named contact. These are just sample forms that point the mailit script.

You can view the online documentation at www.surefirewebdesign.com/scripts/docs/

which includes a breakdown of all the files.

 

I've printed them out, studying them now. Thanks!

Link to comment
Share on other sites

Wayne,

 

Can you give a more specific example of what you are trying to accomplish? Maybe if you gave a specific example we'd be able to point out where this type of vulnerability might lie.

 

Regards,

Link to comment
Share on other sites

I have many "receipt pages"

On these php pages I have code that inputs data from a form (that has been passed to my credit card gateway and then back to my page) into my database. I then email the customer a receipt using the mail() command.

 

I have just discovered that no messages have been sent out over the last couple of weeks resulting in about 200 customers with no receipts.

 

In another thread

http://www.totalchoicehosting.com/forums/i...showtopic=24666

 

we have been talking about modifying the mail command with the -f parameter. The apparently tells sendmail to set the envelope address.

 

I have done this however now mail just gets returned when I try and send it to customers with the error:

"unrouteable mail domain"

 

I have looked at ultimateFormMail however this is not feasable since I use logic on my page to write to the database and email the customer only when the bank's gateway returns a certain value for one of my variables (ie transaction has been accepted).

 

I was using the command mail($customeremail, $mailsubject, $headers, $fromemail)and all was good in the world.

 

Unfortunately I am going to have to manually send over 200 receipts and counting until I get some solution in place.

 

My page is basically this.

 

if (credit card accepted){

 

write data to mysql database

email customer a receipt

dispaly html and include links to other areas of my site

}

 

if (credit card not accepted){

display message to try again

}

 

Any advice will be much appreciated.

Wayne

Link to comment
Share on other sites

  • 3 weeks later...
A secure form processor such as Ultimate Form Mail should be used.

 

I'm trying to set up Ultimate Form Mail, as suggested, but am getting an error related to Ioncube:

 

/home/faces/public_html/contactform/antispoof/seed.php cannot be processed because an untrusted PHP zend engine extension is installed. Read more about this message

 

You can see the error here: http://www.100faces.org/contactform/contact.php

 

Any suggestions?

 

Thanks!

 

-Gabe

Link to comment
Share on other sites

You need to update the ioncube loaders. The loaders are found here

http://www.ioncube.com/loaders.php

 

The ones you need are;

http://downloads.ioncube.com/loader_downlo...ers_lin_x86.zip

 

Download the loaders, unzip the file, upload the 4.4 file to your ioncube directory (ideally in binary) and then everything should be fine (hopefully :) )

Link to comment
Share on other sites

You need to update the ioncube loaders. The loaders are found here

http://www.ioncube.com/loaders.php

 

The ones you need are;

http://downloads.ioncube.com/loader_downlo...ers_lin_x86.zip

 

Download the loaders, unzip the file, upload the 4.4 file to your ioncube directory (ideally in binary) and then everything should be fine (hopefully :thumbup1: )

 

Thanks, Andy! It says that the files loaded properly, but the form still isn't working.

 

http://www.100faces.org/ioncube/ioncube-loader-helper.php'

 

Suggestions?

 

Thanks,

Gabe

Link to comment
Share on other sites

I have UFM loaded and "think" I have mailit configured ok. I fill out the form and then get sent to my thank-you page.

 

But I get no form sent to my designated recipient email.

 

Any suggestions? I've been trying to figure out why for 4 hours. It works on another site I fixed this afternoon.... :thumbup1:

Link to comment
Share on other sites

Any typographical error in the email address? Well I always start with the obvious :thumbup1:

If you send an email direct to that recipient email address - is it working properly and arriving ?

yes - I checked the spelling and I'm receiving email on it fine and the other form I fixed this afternoon sends to that same address.

 

I'm thinking it could be the old code and the way the radio buttons are labeled now that I've been reading some about that. Seems that would just give an error instead of passing through to the "thank you" page without sending the info on to my recipient email...

Link to comment
Share on other sites

That sounds like the code then.

 

I'd be tempted to copy the from on the one that's working to the same location (but different file name) as the one that's not. Then test that. That way you should know if it's the code or not.

 

Thanks Andy - I've gotten this far with figuring out how this has written. Got the needed elements in the form so far....I've gotten it to submit and then take me through to the thank you page, but no email is coming to me still.

 

Boy it's been a long day ....

Link to comment
Share on other sites

Just a note:

 

I had "recipient" set to the same email address as the email address I entered into the form to test.

 

When I stopped using the same email address in the "recipient" and what I put in the form to test (actually, I added another one of my differrent emails in the "recipient" to try sending to 2 recipients) - the form transmitted the information properly.

 

I am thinking I should not have been trying to test the form by enteriing the same email in the form as the "recipient" was set in mailit.

 

Live and learn :lol:

Edited by kahill
Link to comment
Share on other sites

Although kahill figured this out through testing, we did communicate a bit in my online forum. I mention this because Ultimate Form Mail clients can always expect timely support from me at that location. I have received consistent praise for the turnaround and quality of my responses... and TCH clients do receive extra special care.

Link to comment
Share on other sites

We know you do Jack ;) hence my link to your forum about 10 items earlier in this thread ;)

 

As with any good script / program, the author is nearly always a great place to get some support.

 

Oh, sure, I agree! I just didn't really know where to start first since UFM was recommended here among the great TCH family - so I just started here first.

 

Surefire is on the ball! :unsure:

Link to comment
Share on other sites

Can I ask a question?

 

(I do not waht to piggyback but this is a question I need answered)

 

ok, I built a contact page in FP, this is the script:

 

<form method="POST" action="_vti_bin/shtml.exe/contact.html" webbot-action="--WEBBOT-SELF--">

<!--webbot bot="SaveResults" S-Email-Format="TEXT/PRE"

S-Email-Address="emailaddress" B-Email-Label-Fields="TRUE"

B-Email-Subject-From-Field="FALSE" S-Email-Subject="subject"

S-Builtin-Fields U-Confirmation-Url="thankyou.html" startspan --><input TYPE="hidden" NAME="VTI-GROUP" VALUE="0"><!--webbot bot="SaveResults" i-checksum="43374" endspan -->

<p>name:<br>

<input type="text" name="name" size="20">

<p>Email Address:<br>

<input type="text" name="email" size="20"></p>

<p>Comments:<br>

<textarea rows="2" name="Comments" cols="20"></textarea></p>

<p><input type="submit" value="Submit" name="B1"><input type="reset" value="Reset" name="B2"></p>

</form>

 

is this the type of scripts that are getting hacked into, I got little knowledge into email scripts, and need to know of a good easy to understand and simple script for contact page. This script allows one email per submit.

 

Thanks

Link to comment
Share on other sites

You are only showing the form

its the form processor that is the problem for most scripts

they do no checking of the submitted data, just pass it on the the mail function.

The data needs to be checked

A spammer will try to add control characters to trigger BCC and Subject and a new message

in one of the form fields like the visitors e-mail address

and then off goes the spam.

 

So the form processor must check the data before it sends it.

and limit the fields to a reasonable length for each field.

like maxlength="50"

 

 

I can't help with FP as I do not use it.

Link to comment
Share on other sites

Don is right on the ball. The processor would take the names of the fields and simply pass on the content of the fields. If I remember my FP correctly, there is nothing that does any data checking.

 

FWIW...UFM can be as basic or elaborate as you would like it to be. If you use it, I would encourage you to read the documentation a couple of times (I know I did!) to get more of an idea of what was going on. Plus, as stated above, if you get stuck, you've got Surfire's forum as well as your TCH family members to help unstuck (?) you!

Link to comment
Share on other sites

  • 4 months later...
  • 3 months later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...