Results 1 to 5 of 5
  1. #1
    5 Star Lounger
    Join Date
    Jul 2002
    Location
    Hatsukaichi, Hiroshima, Japan
    Posts
    904
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Problems with security of PHP Forms

    Hello, I look after the website for the Teaching Children Special Interest Group - at least I try to - I'm a volunteer with limited experience. Recently, it seems as if someone is trying hack the forms on our website to send spam. I've received emails where every field is filled with a bogus email address, even check boxes. The two forms that have been targeted are at:

    http://www.tcsigjalt.org/e/tlc/index.php and http://www.tcsigjalt.org/e/tlc/whatcanIdomonday.php

    How can a checkbox be used to send an email address? How can a required field be by-passed? I'd be grateful for any answers but more importantly
    for any tips to make the forms more secure. I did a google search and found this interesting thread:

    http://support.jodohost.com/showthread.php?t=5436

    I follow some of it but not most of it. Any help would be appreciated.

    Thanks,

    Chris (Hunt)

  2. #2
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: Problems with security of PHP Forms

    You have linked to a very valuable thread, but it is hard to grasp all the details without a good knowledge of client and server side form handling. And my knowledge of PHP is very limited, so understanding the proposed solution probably is beyond me.

    > How can a checkbox be used to send an email address?

    > How can a required field be by-passed?

    Here's an example. I downloaded a form from a web site and hacked it to behave the way I wanted. I changed the order of the fields, made drop-downs into radio buttons, and had the results launch in a new window. The server has no clue. In my opinion, I am not abusing the site in any way, but it's possible that the web site owner sees it differently. So far, they haven't contacted me to discuss. <img src=/S/grin.gif border=0 alt=grin width=15 height=15>

    But what if I had made more radical changes. For example, what if I changed a field that expects a 3-letter-acronym to one that inserted numerous pages of text? or I changed the type of an input from checkbox to text? Because I control my own page, I can remove the client-side validation from it and make lots of other changes. Your server receives pairs of variable names and data, and has no idea about my other changes. For this reason, all server-side code that accepts parameters needs to examine those parameters before acting on them. Never ever trust that a submission follows the rules set in your form.

    Getting back to your forms, you could make them slightly less convenient by requiring something harder to spoof. This could be a cookie or a dynamically generated session key, or taking some action on a confirmation page. Or perhaps the simplest is to change your form to include a hidden field that would be difficult for a spammer to fake. One thought is a hash or other encrypted version of the current user's PHP session key. This could be compared with a hash of the real session key upon submission. Of course, they might figure this out eventually, but it seems worth a try.

  3. #3
    5 Star Lounger
    Join Date
    Jul 2002
    Location
    Hatsukaichi, Hiroshima, Japan
    Posts
    904
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Problems with security of PHP Forms

    Thanks for the reply, it sheds a lot of light. The problem is even more complex than I thought! What I don't understand is how you send your hacked form to the server. Don't you need to upload the page to the server? Do you mean that your hacked form is uploaded elsewhere and sends the results to a form on another server.

    Bothered and bewildered,

    Chris

  4. #4
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: Problems with security of PHP Forms

    > What I don't understand is how you send your hacked form to the server.

    I don't need to get my form on any particular web site, I just need to post to the correct script. In my form, which is on my desktop, I "fix" the URL by using the complete path to the script to which I want to submit the form data: <form action="http://their.server/their_folder/their_script.php" method="post">

  5. #5
    5 Star Lounger
    Join Date
    Jul 2002
    Location
    Hatsukaichi, Hiroshima, Japan
    Posts
    904
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Problems with security of PHP Forms

    <hr>I don't need to get my form on any particular web site, I just need to post to the correct script.<hr>
    Doh! Of Course!

    Thanks,

    Chris

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •