HomeForumsPHPFormMailGeneral Help & Support

vulenerabilities claim

I got an email saying that there are vulenerabilities with the script. I am running the lastest version and don't believe there claim. Just wanted you to see their claim and to let me know if it is an issue. I am including the person information if you wish to ask questions from them. Thanks for a great product and look forward to your answer.

Email----
As we tested your site, it turns out that there are field in your web site pages from which some can execute scripts.

These are the steps we took to discover these vulenerabilities:

From the Contact Us page, we manipulated the source code to show a hidden input field (name = required, value = email). In that field, we inserted a harmless script: alert(document.domain)

We then clicked submit and the script was executed (you should see a small alert window with the domain name).

We found that issue in the info request page as well.

What you need to do is to make sure that all the input fields, hidden or not, are sanitized before being executed. What that means is the you
replace characters, such as < > " ' and - with their hex representation, or remove them all together so that there is no possibility of a
malicious script being executed that can compromise your customers' private information or their system.

Once you think you have sanitized the website input fields, run another scan. If all the fields are sanitized, you should get a passing scan.

Let us know if you have any further questions.

--
Daniel Rodriguez
SecurityMetrics
Technical Support
801.705.5700 Support
801.724.9600 Main
801.724.9700 fax
0207.993.8031 UK Support
www.securitymetrics.com

‹ SecureImage and PHPFORMMAIL Redirect to Custom thank you page ›
Posted by altnetwork on Fri, 05/02/2008 - 18:33

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Thank you for the

Thank you for the information. I've emailed the company and am awaiting a reply. In the meantime could you email me the address of your form and formmail.php please. The email is my name with out the M at boaddrink dot com.

-Andrew M Riley

Posted by Andrew M Riley on Sun, 05/04/2008 - 19:48.

Did you get the information

Did you get the information that I sent you and do you have any word on this?

Posted by altnetwork on Thu, 05/08/2008 - 21:50.

The company you listed has

The company you listed has not replied yet so i'm going to have to do this the hard way...

-Andrew

Posted by Andrew M Riley on Fri, 05/09/2008 - 01:43.

How are you doing on it?

How are you doing on it?

Posted by altnetwork on Mon, 05/12/2008 - 15:31.

Any word on if there is any

Any word on if there is any issues with this?

Posted by altnetwork on Wed, 05/14/2008 - 17:37.

Is there any issues with

Is there any issues with this? I am have people asking if they should not use it any more.

Posted by altnetwork on Fri, 05/16/2008 - 16:52.

I've received the

I've received the information from the company and will be testing it.

Posted by Andrew M Riley on Thu, 05/22/2008 - 15:17.

How are you doing on

How are you doing on this?

Thanks for taking the time.

Posted by altnetwork on Fri, 06/06/2008 - 18:26.

ANOTHER VULNERABILITY

ANOTHER VULNERABILITY QUESTION
I have the Classic v1.07.2 script installed and believe that it's been hacked. There was a parse error today and when I downloaded the formmail to check it, a javascript had been added with print instructions at the end pointing to nemr.ru/fgg

I obviously removed it and reinstalled a clean version. Is there a vulnerability or do I need to modify some settings?

Thanks.

Posted by LaurieZ on Tue, 07/29/2008 - 19:11.

It sounds like either your

It sounds like either your server/account was hacked or another script you run. PHPFormmail doesn't have the ability to read/write any files and there should be no calls that allow for code execution.

-Andrew M Riley

Posted by Andrew M Riley on Fri, 08/01/2008 - 02:18.