HomeBuilding Your WebsiteWeb Programming and Application Development

Hacking Contact Forms

flyte posted this at 19:48 — 26th September 2005.

flyte's picture

He has: 3 posts

Joined: Sep 2005

Thanks to the good people at AOL, I've discovered that some hackers are abusing the contact forms hosted at our site and subhosted clients.

As I've done a little reading it appears that some hackers just look for popular forms by name, i.e., contact.pl, formmail.cgi, etc.

Would changing the names of these forms to something tough to guess (at least by a mindless computer) be a good defense against the average hacker?

I.e., clientnamecontact.pl, instead of just contact.pl?

Thanks in advance for any ideas...

Rich Brooks
flyte new media
flyte:what works online
7 Days to Search Engine Success

Greg K posted this at 19:58 — 26th September 2005.

Greg K's picture

He has: 2,145 posts

Joined: Nov 2003

Change not only the name of the program as you asked, but also change any "Standard" form field names.

There is a similar thread not to long ago on this topic. If I can find it, I'll edit this and post it.

-Greg

Tudor.b posted this at 20:52 — 3rd October 2005.

They have: 35 posts

Joined: Jun 2004

Mr. Geek of the Week is partially right, you should change any standard names of the fields, like email, or name. But the bots are also getting smarter: not knowing witch textfield is witch, they enter raw headers in all of them.
I don`t know perl, but in PHP, you can do something like this to parse all the POST data for unwanted headers:

foreach ($_POST as $post_data)
if (eregi("/content-type|mime-type/", $post_data)
{
   // unwanted headers
   die ("Da-te-n gatu` ma-tii"); // well...something "nice" for the bot :))
}
'

www.it-base.ro

Want to join the discussion? Create an account or log in if you already have one. Joining is fast, free and painless! We’ll even whisk you back here when you’ve finished.