Welcome to WebmasterWorld Guest from

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

Weird Form Responses

is This a Security Risk?



12:02 pm on Jan 4, 2007 (gmt 0)

10+ Year Member

I use php feedback forms on my sites - they are info based and not blog related

They are well packaged and supposedly very secure with various elements in place to reduce exposure to things such as injection viruses etc

In the last month I have noticed a couple of enquiries coming in that are obvious spam but the coding is so weird that it suggests something more sinister than an automated link drop.

Ive received a few today with the following quoted in the comments box:

You did this great job here!
cialis [chsbs.]
href=\"http://www.chsbs. example.edu/iopa/_disc1/0000

Can anyone confirm whether these forms are just misdirected link spam aimed at blog comment software. Or something more worrying?

Is there any mechanism thru which a hacker can cause damage to your site or even hijack it thru the php response form?

Any advice much appreciated

[edited by: jatar_k at 2:46 pm (utc) on Jan. 4, 2007]
[edit reason] examplified url [/edit]


12:53 pm on Jan 4, 2007 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member

Looks like classic link spam. Those are just complex URIs. Nothing too sinister (for spam).


1:55 pm on Jan 4, 2007 (gmt 0)

10+ Year Member

Nothing to worry about. I used to get similar emails, but now I filter out any email with "<a href=" or "[url=" in it.


2:53 pm on Jan 4, 2007 (gmt 0)

5+ Year Member

Is there any mechanism thru which a hacker can cause damage to your site or even hijack it thru the php response form?

Not with this sort of spam but you ought to be aware of the potential security holes that exist. You should make sure that the PHP option register_globals is off and that your script does not require it, and that any input data is properly escaped before being processed (the classic mistake being to take input data and use it in an SQL query without ensuring all special characters are escaped).

If as you say your form is secure then the developer will have thought about these matters, but if, for example, the forms were developed by a skilled developer then adapted by a novice for your particular purpose it is entirely possible that loopholes will have been introduced.


11:17 am on Jan 5, 2007 (gmt 0)

10+ Year Member

Very much appreciate your replies - seems that this might just be a pathetic attempt at link spam

I have received some more today and it becomes increasingly more bizarre:

"hamContent-Transfer-Encoding: quoted-printableContent-Type: text/htmlSubject: that time itbcc: lianna@example.comry cured hams require a prolonged period of rehydration prior to consumptio=n=2E wet cured ham has been cured with a brine, either by immersion or inje=ction. he679c4c6da97a5d98679c46e1634a8c40."

Is there a big market for cured ham on the web?

Curiously theyve targetted only one page on a large site to send in these nonsensical forms

Had a few that mention "transfer-encoding" and I dont like seeing the word "inje=ction" but right now Im not going to lose any sleep over it.

[edited by: jatar_k at 2:25 pm (utc) on Jan. 5, 2007]
[edit reason] examplified [/edit]


1:29 pm on Jan 5, 2007 (gmt 0)

10+ Year Member

Many spam agents send out what I call 'recon units' with the intent of finding valid email addresses or working forms to hijack. One of my clients was getting spam through their email form. I fixed it easily by changing the field names to something really bizarre...then, the bots didn't know what to put where, or that it was even a form that would email.


2:26 pm on Jan 5, 2007 (gmt 0)

WebmasterWorld Administrator jatar_k is a WebmasterWorld Top Contributor of All Time 10+ Year Member

it looks like standard spam, a lot of gibberish (though well constructed gibberish) to beat email anti spam filters.

you should look at the message source from some of the spam you get, you will see tons of this kind of stuff.


2:52 pm on Jan 8, 2007 (gmt 0)

10+ Year Member

Sorry to drag this out but Ive seen a new development today that does worry me

On my enquiry form email response that we receive from the customer I have a subject line that is different on every page - so for example you would have:

Widget enquiry - BLUE
Widget enquiry - RED

Now today Ive seen that the spammers are somehow managing to amend the subject line text which is embedded within the html on the page -its not hidden at all but is simply quoted within the >name="postedfrom" value=< attribute

Is this something that needs fixing? If they can change this does it suggest a wider problem or is the subject line in this context easy to adjust provided its visible on the html of the page?

It really makes no sense to me but I guess these aholes may be wrongly assuming that the form is a "comment" blog form and therefore links will be enabled on posting

Thanks for all your comments so far


3:23 pm on Jan 8, 2007 (gmt 0)

WebmasterWorld Administrator jatar_k is a WebmasterWorld Top Contributor of All Time 10+ Year Member

take a look through these threads from our PHP Library [webmasterworld.com]

Combatting Webform Hijack [webmasterworld.com]

PHP Security [webmasterworld.com]

it looks like you aren't properly cleaning the form input. If they are changing the subjects then that is a rather serious problem.


3:57 pm on Jan 8, 2007 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member

I scan my forms for headers in the subject and body. To addresses cannot be entered directly, but are matched up to database entries after the fact.

If I find any headers, the email doesn't get sent, and a "Tastes Like SPAM" message is shown. The same for blank subjects and bodies (the typical "ping" message from spammers testing the waters).


9:35 pm on Jan 8, 2007 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member

Also check for form processing requests from an alien domain/IP (like a request for the result page from an address that didn't also request the form page). Sometimes spammers take a copy of a form page and attempt to modify and use it from their own server, processing it through your server, if possible. If you can, on the result page, check to make sure the request came from your server's IP only and reject any other requests.


10:21 am on Jan 11, 2007 (gmt 0)

10+ Year Member

Thanks again for the replies

Business levels are normal and forms are still coming in so Im shocked that the issues raised are serious. Clearly though Im not going to sit here and wait for things to go bang.

Main problem I have is that I am not a programmer and I have insufficient knowledge to deal with these key security issues myself.

Instead I will need to outsource and my preference is to simply start over with a new form. Its cheaper and I think Id feel more comfortable doing this.

I have been speaking to some programmers about a more advanced form and as usual you are torn between losing customers because the form is too complex or keeping things secure by adding for example image verification etc. Im going to opt for the latter because I cant risk any more problems like this.

Can anyone recommend a secure form mechanism - CAPTCHA has been mentioned to me as one such option

Many thanks


12:46 pm on Jan 11, 2007 (gmt 0)

WebmasterWorld Administrator coopster is a WebmasterWorld Top Contributor of All Time 10+ Year Member

There is a resourceful thread in the Accessibility and Usability Forum [webmasterworld.com] here at WebmasterWorld that answers the question Is < CAPTCHA > accessible and usable? [webmasterworld.com] In that discussion there are alternatives and links to discussions on the alternatives.


4:18 pm on Jan 11, 2007 (gmt 0)

10+ Year Member

Many thanks coopster

Featured Threads

Hot Threads This Week

Hot Threads This Month