HiveBrain v1.2.0
Get Started
← Back to all entries
patternphpMinor

Wordpress php Contact Form - Security flaws

Submitted by: @import:stackexchange-codereview··
0
Viewed 0 times
contactphpflawswordpresssecurityform

Problem

I have the following contact form included with my wordpress theme as a template.

Now a user on Stackoverflow pointed out that this form has some serious security vulnerabilities.

Could someone please point them out and tell me where I can improve

Form:

```
' . "\r\n" . 'Reply-To: ' . $email;

if(mail($emailTo, $subject, $body, $headers)) $emailSent = true;

}

}
get_header();
?>












ID, 'snbpd_ph_disabled', true) != 'on' ) : ?>

ID, 'snbpd_phitemlink', true)!= '') : ?>

ID, 'snbpd_phitemlink', true) );
$thumb = wp_get_attachment_image_src($thumbId, 'page-header', false);
?>
" alt="" />




" alt="" />



/library/images/inner-page-bg.jpg" />









ID, 'snbpd_pagedesc', true)== '') { ?>/ ID, 'snbpd_pagedesc', true); ?>

" role="article">











">





>

Thanks! Your email was successfully sent. We should be in touch soon.', 'site5framework'); ?>



Solution

And they didn't give ANY more detail? That was mean!

I think they meant cross site scripting attacks since your form does not check for the form's referrer, or remove html or JavaScript, and you echo out what the user has typed in that means they could add JavaScript to your site. Conceivably someone could set something on their website that posts to your form that executes JavaScript on your site; https://en.wikipedia.org/wiki/Cross-site_scripting

see this simple example

' method='post'>

" />


If I run that in a browser I get the box, I type in test and the value is "test" on page reload but if I type in

">alert('danger!')


note the "> which ends the input field allowing the code to run. now imagine if that was code that grabbed people's login cookies, or worse provided a login or registration form that sent your customers details to a spammer

as it happens google chrome tells me

Refused to execute a JavaScript script. Source code of script found within request.


and everything is safe... but people with older browsers beware!

Some other things to address

-
as touched on above check the referrer is not coming from a remote site before sending the email; you might want to consider letting a blank referrer through for people with web privacy software but a referrer from some dodgy sounding hacker domain? ignore that submission

-
you are not using wordpress' nonce feature, http://codex.wordpress.org/Function_Reference/wp_nonce_field that


The nonce field is used to validate that the contents of the form
request came from the current site and not somewhere else. A nonce
does not offer absolute protection, but should protect against most
cases. It is very important to use nonce fields in forms

-
I don't know of anything in particular that affects the php mail function, and it will depend on what server OS you are using, but there might be vulnerabilities in that similar to the JS problem, you might want to look into updates / know issues for your platform to make sure people can't force your server to send emails, a theoretical example if the name field is posted as some malformed string

^'; \r\n; bcc: spamvictim@example.com

could email anything to anyone; but I stress that is only theoretical, that syntax I invented - more research for your specific platform(s) is required.

-
you are using eregi which has been deprecated a while in favor of the preg functions, I have not heard of any security issues with it (but then I haven't looked because I use preg), but best change because you might find it removed from php soon.

-
your form does not check for maximum length of comment, so unless there is something at the webserver level to stop it, someone could post huge comments to you which would then jam up your email or your servers sendmail - never seen this happen, but still.

-
you might want to consider using a service like http://akismet.com/ to protect your form from spammers (that may even protect you from a lot of the above)

Code Snippets

<form action='<?=$_SERVER['PHP_SELF']?>' method='post'>
<?php
   $value = (!empty($_POST['hello'])) ? $_POST['hello'] : '';
?>
<input type="text" name="hello" value="<?=$value?>" />
<input type='submit'/>
</form>
"><script>alert('danger!')</script>
Refused to execute a JavaScript script. Source code of script found within request.

Context

StackExchange Code Review Q#25416, answer score: 4

Revisions (0)

No revisions yet.