Thread: Contact Us Page Hacked

I am not too familiar with the way people hack into websites but am looking for some insite into the topic.

I put the following code on a friends site and he claims that his site was hacked due to this code. Can anyone tell me why?

Code:

<?php
function clean($data) {
$data = trim(stripslashes(strip_tags($data)));
return $data;
}
$exploits = "/(content-type|bcc:|cc:|document.cookie|onclick|onload)/i";
foreach ($_POST as $key => $val) {
	$c[$key] = clean($val);
        if (preg_match($exploits, $val)) {
		exit("<p>No exploits, please!</p>");
	}
}
		
$show_form = true;
$error_msg = NULL;
				
if (isset($c['submit'])) {
if (empty($c['ChosDest']) || empty($c['firstname']) || empty($c['lastname']) || empty($c['email'])) {
	$error_msg .= "Program Type, First Name, Last Name, and E-mail are required fields. \n";
} elseif (strlen($c['firstname']) > 25) {
	$error_msg .= "The first name field is limited at 25 characters. \n";
} elseif (strlen($c['lastname']) > 40) {
	$error_msg .= "The last name field is limited at 40 characters.  \n";
} elseif (!ereg("^[A-Za-z' -]", $c['firstname'])) {
	$error_msg .= "The first name field must not contain special characters. \n";
} elseif (!ereg("^[A-Za-z' -]", $c['lastname'])) {
	$error_msg .= "The last name field must not contain special characters. \n";
} elseif ((strlen($c['location']) > 0) && !ereg("^[A-Za-z' -]", $c['location'])) {
	$error_msg .= "The location field must not contain special characters. \n";
} elseif ((strlen($c['phone']) > 0) && !ereg("^[0-9 -]", $c['phone'])) {
	$error_msg .= "The phone field can only contain numbers. \n";
} elseif (!ereg("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,6})$",strtolower($c['email']))) {
	$error_msg .= "That is not a valid E-mail address. \n";
}
		
if ($error_msg == NULL) {
	$show_form = false;
				
if (!empty($c['url']) && !ereg("^(http|https)", $c['url'])) {
	$c['url'] = "http://" . $c['url'];
}
				
        $subject = "Contact Us";
				
	$message = "You received this e-mail message through the Contact Us feature on your website: \n\n";
	foreach ($c as $key => $val) {
							
	}
	$message .= "Program Type: {$c['ChosDest']}\n" ;
	$message .= "Name: {$c['firstname']} {$c['lastname']}\n" ;
	$message .= "Location: {$c['location']}\n" ;
	$message .= "Phone: {$c['phone']} \n" ;
	$message .= "Email: {$c['email']}\n" ;
	$message .= "Comments: {$c['comments']}\n\n\n" ;
	$message .= "Sumbitted from IP: {$_SERVER['REMOTE_ADDR']} \n";
	//$message .= "Browser: {$_SERVER['HTTP_USER_AGENT']}";
				
if (strstr($_SERVER['SERVER_SOFTWARE'], "Win")) {
	$headers   = "From: Website <[email protected]> \n";
	$headers  .= "Reply-To: {$c['email']}";
} else {
	$headers   = "From: Website <[email protected]> \n";
	$headers  .= "Reply-To: {$c['email']}";
}
				
	$recipient = "[email protected]";
			
if (mail($recipient,$subject,$message,$headers)) {
	echo "<p>Your information was successfully sent. <br><br> <font size=+1 color=#ac2b31>Thank You for Contacting Us!</font> <br><br>Someone will be responding to your inquiry shortly</p>";
} else {
	echo "<p>Your information could not be sent this time.  Please try again!</p>";
	}
}
}
if (!isset($c['submit']) || $show_form == true) {
	function get_data($var) {
		global $c;
		if (isset($c[$var])) {
			echo $c[$var];
		}
	}
	
	if ($error_msg != NULL) {
		echo "<p><strong style='color: red;'>ERROR:</strong><br />";
		echo nl2br($error_msg) . "</p>";
	}
?>

What can I do to make my site safe?


Any help is greatly appreciated.

I don't see how the site can be hacked through that page because as far as I can see you have taken all the necessary precaution to prevent an XSS attack. But there is a possibility that rogue headers could sneak in through the email address; ones you don't check for in your exploit function.

Rather than checking all the variable for exploits, simply check that the email address adheres to the general format for an email address using a regular expression.

You didn't say how the script was hacked. I the person using it doesn't know then I suggest you tell him to get you some proof

Are you calling to a database any where in some other code? Maybe you are includeing a config page with some SQL in it.

If you have SQL then you could be prone to SQL Injection