Knowledgebase

Considerations to take into account to increase the security of your web form

How does this modality work?


To explain it, we are going to base it on a simple example, suppose that our form has a field for the visitor to enter the email in the following way:

input name="email" value="Enter" your="" email="" here="" type="text"

Then, the address entered in this field is sent to the server and is taken by the PHP script to be used as FROM in the mail() function and in this way the message that reaches our email will have as sender the address entered by the visitor.

Now, PHP's mail() function: mail(recipient, subject, message, extra headers); It simply concatenates the parameters that are passed to it, so if we enter the following in the email field of the form:

[email protected]%0ACc:[email protected]%0ABcc:[email protected],

[email protected]

where the first address will be the From: (source address that will reach the spam victims), %0A is the hexadecimal value of the line feed character, Cc: (Copy) contains the address or addresses of the victims and Bcc: (Blind Copy) also contains addresses of spam victims.

Part of the header of the email generated by our abused form will be:

To: [email protected]
Subject: Subject of the message
From: [email protected]
Cc: [email protected]
Bcc: [email protected], [email protected]

With this, the spammer will have used our site to send mass mail through our form.

The example seen is the most basic case of this modality since through the injection of headers you can even modify the subject and even the message itself, to the point of being able to send messages with html content.


What consequences does this modality have?


First, our form is being used to carry out an activity with which the vast majority of us disagree.

The bandwidth available to the server is also being used, affecting the rest of the sites hosted on it, so the site in question will be suspended until the problem is resolved.

Finally, in the event of a spam report, said account must be suspended in accordance with the legal provisions of our site. It is the responsibility of each user to use sufficiently secure code on their website and to correct this if necessary.


How to avoid using our form?


First of all, it is worth clarifying that the exemplified modality occurs only in forms that use the PHP mail() function to process and send the data entered by the visitor. It is always recommended to use the phpmailer class, which largely avoids these problems.

If you use a PHP script that is not your own, such as formail.php, please update it with the most recent version, verifying that it provides a solution to this type of activity.

If you use a PHP script that you own or have the knowledge to edit it, here we incorporate a function that you can use to validate the data entered efficiently

function ValidateData(){
// Array with the possible headers to be used by a spammer
= array(Content-Type:,
MIME-Version:,
Content-Transfer-Encoding:,
Return-path:,
Subject:,
Desde:,
Envelope-to:,
To:,
bcc:,
DC:);

// We check that the data does not include any of
// the strings of the array. If any string is found
// directs to a Forbidden page
foreach (as) {
if (strpos (strtolower (), strtolower () ) !== false) {
header (HTTP/1.0 403 Forbidden);
exit;
}
}
}

// Example of function calls
ValidateData(['email']);
ValidateData(['subject']);
ValidateData(['message']);
?>

This function is basic and can be modified according to the script you use to process the form and even incorporate error control. Don't forget to include hidden form fields if this data is going to be passed through the mail() function.

We also suggest that to increase the security of your forms so that they are not taken by third parties, you can use a captcha for it.

  • 0 Users Found This Useful
Was this answer helpful?

Related Articles

Prestashop update

Update Prestashop To update Prestashop to the new version, the following steps will be carried...

Viruses on the web. Help!!! What are they and how do we eliminate them?

Lately, cases of websites that are infected by viruses or malicious code, without the webmaster...

How can I manage the domain?

For everything related to the administration of your domain, you must use the CPANEL control...

What is a subdomain?

Subdomains are extensions that we can use with our domain, for example, suppose that our domain...

How to publish my website?

To upload the content of your website to the server you can use any FTP client such as FileZilla,...