Form Security http://formmail-maker.com/forum/index.php?p=/categories/form-security/feed.rss Tue, 19 Sep 17 14:45:43 -0400 Form Security en-CA How secure are the email form and my form data? http://formmail-maker.com/forum/index.php?p=/discussion/16/how-secure-are-the-email-form-and-my-form-datas Sat, 24 Sep 2011 21:29:49 -0400 admin 16@/forum/index.php?p=/discussions I'm confident that all the web forms downloaded from my website (formmail-maker.com) are safe and spam free. Each web form has following methods to fight with spammers and potential hackers:

  1. No email address embedded in form html source
  2. Use simple built-in security image or use very secured reCAPTCHA project of Google
  3. Check email header injections
  4. File upload control to check harmful files 
  5. Save form data in php to avoid unauthorized download
  6. Host the form on your own website, not third-party

No email address embedded in form html source


Unlike old fashion formmail solutions, like formmail.pl and formmail.php, you need to embed the email address to make it work. The email address will be collected by email spider for email spammers.  My form uses predefined email address as the formmail recipient in php script form.lib.php. So no spammer can get your email address for spamming. The predefined email address in form.lib.php looks like this :

define( 'PHPFMG_TO' , 'you@yourwebsite.com' );

Use simple built-in security image or use very secured reCAPTCHA project of Google


For the security image of web form, you can choose one of  3 options : no security image, simple built-in 4 characters security image, or reCAPTCHA project of Google. The built-in security image doesn't require server side GD library. The screen shot of security image used by the web form :


image


Check email header injections


The forms downloaded from my website have built-in header injection check. In the form, there are several places to stop the email headers being injected :
1) The email addresses ( TO, CC, BCC ) of the form are predefined, and they can't be harvested by email spider
2) The "email of sender" and "name of sender" special fields in the form will be checked the injection. Special chars usually used by the email header injection will be removed. The special chars include linebreaks, comma (,), semicolon (;), "CC:", and "BCC:". This is to stop spammer using CC: and BCC: for spamming.
3) the body of message will always print the form field label first, not the content submitted by user. this is to stop email headers being injected by well crafted user content.
4) has built-in security image captcha code, the reCAPTCHA is also available to stop the form being submitted by spambot
5) there are email log on the server, the log will show whether there are any unusual email traffics

It should be spam free by using above methods. There is no report that forms are being abused so far.

File upload control to check harmful files


There are file upload control options for the web form to block harmful files being uploaded. The harmful files are executable applications and scripts on Windows platform or on the web server platform.  See the screen shot to see the form blocks harmful file on the browser side :


image

On the email attachments and the server side, harmful uploaded files are also being handled.  After I read a article about php file upload security  (http://www.scanit.be/uploads/php-file-upload.pdf),  I'm very confident that my form file upload handling is very secure, or at least, there is no security holes as described in that article. 

Long in short, in order to use php attack, hacker will have :
1) a php file (back door) upload to your server
2) the web path of the php file
3) or any other file (.gif, .html, .js, .css, etc...) that will be executed as php file because of the server side setting

In my form file upload handling, a uploaded file will be handled as following ways:
1) all upload files will be renamed with a random id prefix to the file name
2) if a file is harmful, it will be also renamed its file extension as .bak. For example, if someone uploads a backdoor web php script phpshell.php through the web form, it will be renamed as something like 20110924-97c6-phpshell.php.bak on the server side and on the email attachment. 
3) option to save files out of the webroot in form.lib.php as following :

define( 'PHPFMG_ROOT_DIR' , dirname(__FILE__) );
define( 'PHPFMG_SAVE_FILE' , PHPFMG_ROOT_DIR . '/form-data-log.php' ); // save submitted data to this file
define( 'PHPFMG_EMAILS_LOGFILE' , PHPFMG_ROOT_DIR . '/email-traffics-log.php' ); // log email traffics to this file
define( 'PHPFMG_ADMIN_URL' , 'admin.php' );

define( 'PHPFMG_SAVE_ATTACHMENTS' , 'Y' );
define( 'PHPFMG_SAVE_ATTACHMENTS_DIR' ,  '/secured-folder/uploaded/' );


Save form data in php to avoid unauthorized download


The form data will be saved in as a php file form-data-log.php. The file uses php exit() function to avoid your form data being downloaded as text file. Here is the example :

<?php exit(); /* For security reason. To avoid public user downloading below data! */?>
"RecordID" "Date" "IP" "Your name:" "Your email:" "Did it work on my website when you built the form?" "Have you read the F.A.Q?" "Did you modify the form?" "The link of the form which it does not work on your website." "Attach a zip file with all php files of your form, it will help us to fix the problem quickly." "Details of problem:"
"20100206-c327" "2010-02-06 18:26:07" "67.135.237.178" "Tester" "tester@test.com" "Yes" "Yes" "No" "" "" ""

Host the form on your own website, not third-party web form service providers


You host your form on your own website, not form service providers. No need to worry your form data will be abused. You create the form on my website and download your form as myform.zip, then you unzip them and upload to your own website. No data or any
communication will be sent to my website. It's all yours once you put it
to your website. 



As a result, the form and your form data are safe and secure!


If you happen to find any security problems, please let me know. I will be more than happy to
fix any security issues in the email form maker.

:)

]]>
My form has upload fields. Will hackers upload backdoor scripts to my website? Is my form secure? http://formmail-maker.com/forum/index.php?p=/discussion/14/my-form-has-upload-fields.-will-hackers-upload-backdoor-scripts-to-my-websites-is-my-form-secures Wed, 21 Sep 2011 12:58:12 -0400 admin 14@/forum/index.php?p=/discussions Question:

There are security problems in some email form written in php languages. I read this article and know about the security problem in php file upload at http://www.scanit.be/uploads/php-file-upload.pdf. My form has upload fields. Will hackers upload backdoor scripts to my website? Is my form secure?

Answer:

Thank you for the article link. I read along the articles, and I'm very confident that my form file handling is very security. or at least, there is no security holes as described in those articles, especially this article at http://www.scanit.be/uploads/php-file-upload.pdf.

Long in short, in order to use php attack, hacker will have ( see screen shot for the highlight ):
1) a php file (back door) upload to your server
2) the web path of the php file
3) or any other file (.gif, .html, .js, .css, etc...) that will be executed as php file because of the server side setting

In my form file upload handling, a uploaded file will be handled as following:
1) renamed with a random id prefix to the file name
2) if the file is harmful, it will be also renamed with .bak
3) I guess no server will execute .bak as php file
4) option to save files out of the webroot in form.lib.php.

define( 'PHPFMG_ROOT_DIR' , dirname(__FILE__) );
define( 'PHPFMG_SAVE_FILE' , PHPFMG_ROOT_DIR . '/form-data-log.php' ); // save submitted data to this file
define( 'PHPFMG_EMAILS_LOGFILE' , PHPFMG_ROOT_DIR . '/email-traffics-log.php' ); // log email traffics to this file
define( 'PHPFMG_ADMIN_URL' , 'admin.php' );

define( 'PHPFMG_SAVE_ATTACHMENTS' , 'Y' );
define( 'PHPFMG_SAVE_ATTACHMENTS_DIR' ,  '/secured-folder/uploaded/' );

As a result, the form file upload should have no security problems. If you happen to find any, please let me know. I will be more than happy to fix any security issues in the email form maker.
]]>
How to save my email form data in a secure folder (not part of web root folder)? http://formmail-maker.com/forum/index.php?p=/discussion/13/how-to-save-my-email-form-data-in-a-secure-folder-not-part-of-web-root-folders Wed, 21 Sep 2011 12:37:20 -0400 admin 13@/forum/index.php?p=/discussions form data and log are created and handle
with security in mind. It should not be able to grab without login. If
you want it more securer, you can config the script to store the data
out of the website structure. You can edit the form.lib.php as the following example :


define( 'PHPFMG_SAVE_FILE' ,  '/secure-folder-here/form-data-log.php' ); // save submitted data to this file
define( 'PHPFMG_EMAILS_LOGFILE' , '/secure-folder-here/email-traffics-log.php' ); // log email traffics to this file

]]>