Please login or register.

Login with username, password and session length
Advanced search  

News:

You need/want an older version of sNews ? Download an older/unsupported version here.

Author Topic: PATCH - Function Contact Security Patch (1.6)  (Read 6448 times)

Keyrocks

  • Doug
  • ULTIMATE member
  • ******
  • Karma: 449
  • Posts: 6019
  • Semantically Challenged
    • snews.ca
PATCH - Function Contact Security Patch (1.6)
« on: February 20, 2010, 06:08:49 PM »

(Originally posted by Joost elsewhere, Nov.24.09)

(Summarized)
Function contact, which generates the Contact page used in sNews (1.5, 1.6 and 1.7) makes it possible for "an attacker to send (bulk) mail to any address he, or she chooses.The server where the script is installed becomes a spam server and might get blacklisted." Hosts don't like that and might terminate your account and disable your website(s) on their server(s), or "order you to install a decent script" that cures the problem.

The following function was revised and offered as a solution by Joost on November 24, 2009 (on a restricted forum) and, now that I've become aware of it, I've taken the liberty of re-posting the solution here.

Even if you have not experienced an attack through your sNews Contact pages you should replace function contact in all of your sNews 1.6 projects with the following (provided by Joost):

version 1.6
Code: [Select]
<?php

// CONTACT FORM
function contact() {
 
if (!isset($_POST['contactform'])) {
$_SESSION[_SITE.'time'] = $time time();
echo
'<div class="commentsbox"><h2>'.l('contact').'</h2>
<p>'
.l('required').'</p>
<form method="post" action="'
.db('website').'" id="post" accept-charset="UTF-8">
<p><label for="name">* '
,l('name'),'</label>:<br />
<input type="text" name="name" id="name" maxlength="100" class="text" value="" /></p>
<p><label for="email">* '
,l('email'),'</label>:<br />
<input type="text" name="email" id="email" maxlength="320" class="text" value="" /></p>
<p><label for="weblink">'
,l('url'),'</label>:<br />
<input type="text" name="weblink" id="weblink"  maxlength="160" class="text" value="" /></p>
<p><label for="message">* '
,l('message'),'</label>:<br />
<textarea name="message" rows="5" cols="5" id="message"></textarea></p>
'
,mathCaptcha(),'
<p><input type="hidden" name="ip" id="ip" value="'
,$_SERVER['REMOTE_ADDR'],'" />
<input type="hidden" name="time" id="time" value="'
,time(),'" />
<input type="submit" name="contactform" id="contactform" class="button" value="'
,l('submit'),'" /></p>
</form>
</div>'
;

} elseif( isset( $_SESSION[_SITE.'time'] ) ) {
$count $magic 0;
if( get_magic_quotes_gpc() ){ $magic 1; }
foreach($_POST as $k => $v){
if($count === ) die;
if( $magic ) $$k stripslashes($v);
else $$k $v;
++$count;
}
$to s('website_email');
$subject s('contact_subject');

$name = (isset($name[0]) && ! isset($name[300]) ) ? trim($name) : null;
$name = ! preg_match('/[\\n\\r]/'$name) ? $name : die;

$mail = (isset($email[6]) && ! isset($email[320]) ) ? trim($email) : null;
$mail = ! preg_match('/[\\n\\r]/'$mail) ? $mail : die;

$url = (isset($weblink[4]) && ! isset($weblink[160]) ) ? trim($weblink) : null;
$url = ( strpos($url'?') === false && ! preg_match('/[\\n\\r]/'$url)) ? $url null;
$message = (isset($message[10]) && ! isset($message[6000]) ) ? strip_tags($message) : null;
$time = ( isset($_SESSION[_SITE.'time']) && $_SESSION[_SITE.'time'] === (int)$time && (time() - $time) > 10) ? $time null ;
if ( isset($ip) && $ip === $_SERVER['REMOTE_ADDR'] && $time
&& $name && $mail && $message && checkMathCaptcha()) {
unset($_SESSION[_SITE.'time']);
echo notification(0,l('contact_sent'),'home');
$send_array = array(
'to'=>$to,
'name'=>$name,
'email'=>$mail,
'message'=>$message,
'ip'=>$ip,
'url'=>$url,
'subject'=>$subject);
send_email($send_array);
} else {
echo notification(1,l('contact_not_sent'),'contact');
}
}
}


?>

NOTE: I will attempt to patch the default 1.6 Download package with this patch by the end of February.
Logged
Do it now... later may not come.
-------------------------------------------------------------------------------------------------
sNews 1.6 MESU | sNews 1.6 MEMU