PHP Email script being probed?

**Rik** · Jul 6 '06, 02:45 AM

Re: PHP Email script being probed?

wayne wrote:

I have a PHP email script running on two separate websites. Today, I
received a form mail generated by the script from each site, with time
stamps 10 minutes apart. The entered email address in each form is
the same, but the REMOTE_ADDR reported is different.
>
Doing a search of the IP Addresses generates many hits, the user
apparently posts to many news groups.
>
The postal address entered is in MA while the IP Address from the
first entry has many log files posted of an address in MI.
>
Is some one trying to probe the script for vulnerabilities ? If so,
what actions should I be considering?

Could be, as long as you you protected the from from header injections, it
should be no problem. Never, ever, construct a form that will send a
confirmation to multiple (user-given) email-adresses. Be waware there should
be no possiblty to adress multiple emailadresses, either by to:, cc: or
bcc:.

For extra protection, one could impose a time limit on contacts required by
the form,for instance 3 per minute, 6 per 5 minutes, 10 per half hour per
IP-adress (which isn't a really safe bet, but in nornal use good enough,
without resorting to far more dificult methods). That way you more or less
allow for follow-up questions, but limit the amount of possible spam.

Grtz,
--
Rik Wasmus

**wayne** · Jul 6 '06, 02:55 AM

Re: PHP Email script being probed?

Rik wrote:

>
Could be, as long as you you protected the from from header injections, it
should be no problem. Never, ever, construct a form that will send a
confirmation to multiple (user-given) email-adresses. Be waware there should
be no possiblty to adress multiple emailadresses, either by to:, cc: or
bcc:.
>
For extra protection, one could impose a time limit on contacts required by
the form,for instance 3 per minute, 6 per 5 minutes, 10 per half hour per
IP-adress (which isn't a really safe bet, but in nornal use good enough,
without resorting to far more dificult methods). That way you more or less
allow for follow-up questions, but limit the amount of possible spam.
>
Grtz,

Rik,

Thank you for the quick response. I don't believe extra address can be
added, but is it possible to construct a form on a persons computer and
call the PHP script on the server from it?

I'm still learning how the scripts are used!

--
Wayne

http://www.glenmeadows.us

With or without religion, you would have good people doing good things
and evil people doing evil things. But for good people to do evil
things, that takes religion.
—Steven Weinberg

**flamer die.spam@hotmail.com** · Jul 6 '06, 03:35 AM

Re: PHP Email script being probed?

make sure you dont be lazy and use code like extract($_POST) ;
if your checking for things like sql injection or mail header
injections kill the script as soon as the error is found.. exit();
you cant do anything to stop it from happenign and i wouldnt worry,
just learn what holes people use and fix them in your scripts.
also to ensure that someone doesnt try and mass email make sure you
remove any commas from email addresses with str replace, or better yet
if the email address contains a comma.. exit();

flamer.

wayne wrote:

I have a PHP email script running on two separate websites. Today, I
received a form mail generated by the script from each site, with time
stamps 10 minutes apart. The entered email address in each form is the
same, but the REMOTE_ADDR reported is different.
>
Doing a search of the IP Addresses generates many hits, the user
apparently posts to many news groups.
>
The postal address entered is in MA while the IP Address from the first
entry has many log files posted of an address in MI.
>
Is some one trying to probe the script for vulnerabilities ? If so, what
actions should I be considering?
>
Thank you.
>
--
Wayne

http://www.glenmeadows.us

With or without religion, you would have good people doing good things
and evil people doing evil things. But for good people to do evil
things, that takes religion.
-Steven Weinberg

**fletch** · Jul 7 '06, 08:35 AM

Re: PHP Email script being probed?

wayne wrote:

Thank you for the quick response. I don't believe extra address can be
added, but is it possible to construct a form on a persons computer and
call the PHP script on the server from it?

Yes it is. If you are putting values in hidden <inputyou can not
assume what you put in comes back again. The firefox web developer
toolbar will allow a user to change these values. Also you could save
the page with the form to disk and go and modify it. Or even write your
own form. and just set the form's action to any page you like.

--
Fletch

PHP Email script being probed?

PHP Email script being probed?

Comment

Comment

Comment

Comment