PHP Forms Security Vulnerability
Hello all! I needed to post really quickly for you - this is important!
If you have used my contact forms script prior to this moment right now (September 20, 2007 at 9:52am EST), then you need to upgrade.
I have removed/disabled downloads to my “complex” and “simple” zipped file outputs. They were old anyway, and needed to go. I do have a replacement “automated” script to generate the simple form for you. (If you need something more complex, feel free to contact me about it, and I’ll send it to you.)
So, the deal is, an XSS vulnerability was discovered in my script. If you don’t know what XSS is (I didn’t!), in layman’s terms: someone can enter an actual script into any of the input fields on the form, and when they click “submit” said nastiness *will* run. This is a HUGE vulnerability. So this update is no joke. If you’re using my forms, you MUST apply the fix, or you’re compromising your server, and your host will hate you forever.
So, the quickest way is to just get a new form. But many of you have already done this and customized the form muchly - and I’m sure you don’t want to do it all over again. Never fear! Turns out the fix is really quick and simple. Follow the below instructions, and you’ll be set.
- open up the processing script (by default, it’s “index.php” - if you’ve renamed it, then open that file).
- in the line above
isset($_POST['action']) ? $action = $_POST['action'] : $action = ”;, which should be the first line in your script by default (you may or may not have added extra customization, that’s for you to determine), you must place in this little piece of code:
foreach($_POST as $k => $v)
$_POST[$k] = htmlentities($v);
- Save. Upload. Done.
This fix will effectively remove the vulnerability. Nothing’s 100% - but this is pretty darn close.
If you have any questions on this, feel free to leave a comment below and I’ll address you as soon as I can.
UPDATE: I must be asleep at the wheel. I had forgotten to mention that this fix was for the simple form only. If you’re using the “complex” form, you’ve got arrays and such (or even if you’re using a really cusomtized simple form), so the above won’t work very well. So if you’ve got a more complicated form, you need to add this instead (thanks to Sheila Fenelon for this!). First is a small function - you may place it anywhere in the script you like (Sheila recommends placing functions at the end, but it’s your choice):
function htmlentities_r($arr)
{
foreach ($arr AS $k => $v) {
if (isarray($v)) {
$arr[$k] = htmlentities_r($v);
} else {
$arr[$k] = htmlentities($v);
}
}
return $arr;
}
And then you replace in my above-mentioned “foreach” statement with this:
$_POST = htmlentities_r($_POST);
And now your more complicated forms are up-to-date.
Posted by admin
September 20th, 2007
Sweet resource, just what I have been looking for.
I have added you to Stumbleupon.
Spoken on March 24th, 2008 at 1:37 pm