sNews 1.7 (current stable version) > Patches/fixes

PATCH - Function Contact Security Patch (1.7)

(1/1)

Keyrocks:
UPDATE: This Patch is included in the current Official sNews 1.7 Download as of April 15, 2010.

(Originally posted by Joost elsewhere, Nov.24.09)

(Summarized)
Function contact, which generates the Contact page used in sNews (1.5, 1.6 and 1.7) makes it possible for "an attacker to send (bulk) mail to any address he, or she chooses.The server where the script is installed becomes a spam server and might get blacklisted." Hosts don't like that and might terminate your account and disable your website(s) on their server(s), or "order you to install a decent script" that cures the problem.

The following function was revised and offered as a solution by Joost on November 24, 2009 (on a restricted forum) and, now that I've become aware of it, I've taken the liberty of re-posting the solution here.

Even if you have not experienced an attack through your sNews Contact pages you should replace function contact in all of your sNews 1.7 projects with the following (provided by Joost):

version 1.7

--- Code: ---<?php

// CONTACT FORM
function contact() {
  if (!isset($_POST['contactform'])) {
$_SESSION[_SITE.'time'] = $time = time();
echo
'<div class="commentsbox"><h2>'.l('contact').'</h2>
<p>'.l('required').'</p>
<form method="post" action="'._SITE.'" id="post" accept-charset="UTF-8">
<p><label for="name">* ',l('name'),'</label>:<br />
<input type="text" name="name" id="name" maxlength="100" class="text" value="" /></p>
<p><label for="email">* ',l('email'),'</label>:<br />
<input type="text" name="email" id="email" maxlength="320" class="text" value="" /></p>
<p><label for="weblink">',l('url'),'</label>:<br />
<input type="text" name="weblink" id="weblink"  maxlength="160" class="text" value="" /></p>
<p><label for="message">* ',l('message'),'</label>:<br />
<textarea name="message" rows="5" cols="5" id="message"></textarea></p>
',mathCaptcha(),'
<p><input type="hidden" name="ip" id="ip" value="',$_SERVER['REMOTE_ADDR'],'" />
<input type="hidden" name="time" id="time" value="',time(),'" />
<input type="submit" name="contactform" id="contactform" class="button" value="',l('submit'),'" /></p>
</form>
</div>';

} elseif( isset( $_SESSION[_SITE.'time'] ) ) {
$count = $magic = 0;
if( get_magic_quotes_gpc() ){ $magic = 1; }
foreach($_POST as $k => $v){
if($count === 8 ) die;
if( $magic ) $$k = stripslashes($v);
else $$k = $v;
++$count;
}
$to = s('website_email');
$subject = s('contact_subject');

$name = (isset($name[0]) && ! isset($name[300]) ) ? trim($name) : null;
$name = ! preg_match('/[\\n\\r]/', $name) ? $name : die;

$mail = (isset($email[6]) && ! isset($email[320]) ) ? trim($email) : null;
$mail = ! preg_match('/[\\n\\r]/', $mail) ? $mail : die;

$url = (isset($weblink[4]) && ! isset($weblink[160]) ) ? trim($weblink) : null;
$url = ( strpos($url, '?') === false && ! preg_match('/[\\n\\r]/', $url)) ? $url : null;
$message = (isset($message[10]) && ! isset($message[6000]) ) ? strip_tags($message) : null;
$time = ( isset($_SESSION[_SITE.'time']) && $_SESSION[_SITE.'time'] === (int)$time && (time() - $time) > 10) ? $time : null ;
if ( isset($ip) && $ip === $_SERVER['REMOTE_ADDR'] && $time
&& $name && $mail && $message && checkMathCaptcha()) {
unset($_SESSION[_SITE.'time']);
echo notification(0,l('contact_sent'),'home');
$send_array = array(
'to'=>$to,
'name'=>$name,
'email'=>$mail,
'message'=>$message,
'ip'=>$ip,
'url'=>$url,
'subject'=>$subject);
send_email($send_array);
} else {
echo notification(1,l('contact_not_sent'),'contact');
}
}
}


?>
--- End code ---

Navigation

[0] Message Index

Go to full version