Thursday, April 7, 2011

aFormMail php script

I downloaded a php script and used it extensively through my website. It looked like this is a php version of FormMail, a Perl (CGI) script. I removed it as it proved to be problematic.

FormMail is a "open" script that is called by a Web Form and contains the code that processes the mail command on the web server. It takes the Input Fields from the Web Form, both hidden and visible, and passes the data to the mail command.

The main reason why this is potentially unsafe is that the hidden fields often contain information that you do not want revealed to the outside world. This can include passwords and email addresses that are on an internal distribution list.

In addition, the form can be compromised and the script have data injected into it by a hacker. Using such a form with this type of processing is generally a bad idea for a website and it will found relatively easily by hackers and you will see mail being sent (spam) from your server.

Other posts on this blog relating to aFormMail.php

4 comments:

Anonymous said...

I would love to know what you decided to do with regards to scripting.

Anonymous said...

So what do I do about these types of scripts?

I want to have a means for my visitors to give feedback but the web forms seems so insecure.

New York said...

I am very interested to know how you can get the form information to display on your screen.

This would be a great way to see the fields in the form so that I could determine the correct ones to inject false data into. This way I could make the injection result look like it was a legitimate message.

Chester said...

What are the problems that you can get when you use the aformmail.php script on a web page contact form?