|
Forms To Go is a program that creates a script to process an HTML form. This process operates under certain security parameters that prevent the script from being used to send unauthorized emails to third parties. For example, the destination addresses of the emails are hard-coded in the script.
Forms To Go Security Parameters
Popular at the time, extremely generic scripts made up the form processors in the beginning. These worked with almost any form to send the values via email.
To do so, hidden fields were added in the HTML form, such as:
<input type="hidden" name="subject" value="Form results">
<input type="hidden" name="to" value="
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
">
The script read these values with the rest of the form. Afterwards, the email was sent to a specified "to" email address with the said "subject".
Any spammer with basic knowledge of web programming could create a program to trigger the script with its own values. By changing the "to" and "subject" fields for any other value, the spammer can use these scripts to send junk emails to other users on the web.
In some cases, where the form posts values using the "GET" method, the script can be easily triggered and hacked by passing the values in the URL.
For example:
http://www.domain.com/script.php?to=
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
&subject=form%20results
Below, you will find a few steps and tips to secure your script.
Step 1: HTTP Referer comes to the rescue
One way to keep spammers off triggering the script directly, bypassing the HTML form by not filling it, is to check the HTTP referer so the script is protected. The HTTP referer is a parameter available in the web server that "tells" the script which URL (web page, web script, etc) triggers the script.
So, if the script is triggered by its HTML form, the form values can not be hijacked. Checking the HTML referer was the first option to protect the script against spammers.
If a spammer invoked the script from its own HTML form, or directly from the URL, the script would not execute.
This was a first approach to solve the problem, but spammers soon discovered how to overread the HTTP Referer.
Faking the HTTP Referer
As we mentioned before, HTTP Referer is a parameter available on the web server that identifies the webpage address or URL which links to the script. This is useful for webstats, to know from which pages users are visiting our website.
This parameter is also available for web scripts in PHP, Perl and ASP, and it allows you making decisions on the script.
However, this parameter is set by the originating web browser, because the web server has no way to identify which page you are coming from, but only the originating IP address of the web browser requesting the page.
So, if the spammer manages to fake the HTTP Referer, your script protected by this parameter could still be abused.
Forms To Go 2.6 (or higher) offers HTTP Referer filtering. Although it does not guarantee 100% effective protection for the script not to be executed outiside the HTML form, it does filter lots of unwanted requests from web spiders and robots, and some weak spamming techniques.
We suggest to use HTTP Referer even if it does not offer 100% effective protection.
Step 2: Hardcode critical parameters in the script
Forms To Go was created with this security feature: If the script is used for spam, i.e. a spammer request its execution too many times, the only user to be affected will be the form's owner, and not any other user on the web.
For this reason, you must specify the TO, CC and BCC e-mail addresses where to send the form field values. These e-mail addresses cannot be set on the HTML form, because it is unsafe. (Still today many users want to set the e-mail address from the HTML form, and we remind them that we don't offer that option because it is too risky.)
Step 3: Filter offending IP Addresses
Forms To Go can filter script execution by IP Address. If a spammer or virus on the web is constantly triggering your script, you can identify its IP address by checking the web logs, or by adding the IP Address in the body of your e-mail, and filtering the script execution.
This is done with Forms To Go 2.6 and higher, which is a free upgrade to all customers of Forms To Go.
But again, IP Addresses can be forged, so they can change every time. Also, if a virus residing on many computers triggers your script, it will be difficult to filter all the addresses.
Should you filter by IP Address? Definitively! Create your script with IP address filtering, and add the IP Address in the body of your e-mail. As soon as you see any offending e-mail, add the IP address in the list of filtered IP address.
Stop Words: Filter those common spam words
Generally, for spammers to do "form hijacking" or "e-mail injection" in the HTML Forms, both the spammers and the script should have common words used in e-mail headers, such as:
Content-type
plain/text
...and many more. You can create your script with the option to halt execution if any of thestop words are found in the field values.
In this way, you will totally prevent script execution on malicious form submissions.
Help! I'm receiving a lot of spam! More than 100 a day!
Worm and viruses constantly triggering scripts on web servers are becoming more common every day. Recently, many users have complained about receiving lots of junk e-mails from their HTML forms.
The only way to stop this from happening in very simple HTML forms and scripts is to filter those requests by adding HTTP Referer, IP Address and Stop Words filtering to your script.
Forms To Go will include in the future more filtering options to avoid abuse of the HTML form. However, please keep in mind that internet security will hardly ever be guaranteed.
Urgent: My script is beign used to send CC and BCC e-mails to other users
As mentioned above, Forms To Go scripts cannot be used to send e-mails to other destinations different that the one hardcoded in the script.
However, there are some cases in which your script can be used for this purpose. Please keep reading.
A spammer or hacker can trigger your script with the following field values:
bcc:
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
cc:
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
...and you may immediatly think that your script was used to send spam: Don't panic. It is not that easy with Forms To Go.
The only way this could happen is if those field values reach the e-mail header, and delimited with the proper character: a carriage return.
Forms To Go filters out all carriage return or new line characters from the SUBJECT and FROM fileds of the e-mail when any field value is used in those areas.
To be completely sure that there is no possibility that an e-mail header (FROM, SUBJECT) can be injected with malicious code, you must:
1) Make sure you created your Forms To Go script with a generic "FROM" e-mail address. If you select any field value to be used as the "FROM" e-mail address, abusive values such as:
bcc:
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
...can be included in the form's field value used in the "FROM", and then, they can be included in the e-mail header.
2) Don't use field values in the SUBJECT of the e-mail. Actually you can add field values in your e-mail body and also in the SUBJECT. If your subject containts a field value with those abusive values, then those values can reach the e-mail header.
Forms To Go will filter any return or new line characters from any e-mail header, but for extra added security remove any form's field from your subject and use a GENERIC e-mail address in the FROM field.
I need more help
If after following all these steps, you consider you still have a security problem with scripts created with Forms To Go, don't hesitate to contact us. We will be very happy to assist you.
|
