Can a site be hacked through a form to send messages?

D

Damir Gabdrakhimov2017-02-16 10:44:10

PHP

Damir Gabdrakhimov, 2017-02-16 10:44:10

Good afternoon, can the site be hacked through the form of sending messages, the form is not connected with the database, it only works with the mail() function etc.
The simple form accepts "name" and "phone".
Thank you!

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

R

rPman, 2017-02-16
@rPman

Unfiltered input - this means potential css, this means they can receive cookies, incl. administrator, if you slip him a link with this css (he must follow it, but usually it's not difficult, social engineering works very well), and then, having an administrator password, you can usually do much more, and without hacking.
p.s. check what happens if the form data is sent as a GET request instead of a POST.

C

CityCat4, 2017-02-16
@CityCat4

If the data is not validated, then it can. Once, a long time ago, there is no longer an archive, we had it - there was a page with a demo of the product, hung and hung
... fatal but annoying.

K

kpa6uu, 2017-02-16
@kpa6uu

Relatively recently, an exploit related to php-mailer was leaked to the public
https://legalhackers.com/advisories/PHPMailer-Expl...
Might come in handy