M
M
Mikhail062018-12-06 23:10:46
PHPMailer
Mikhail06, 2018-12-06 23:10:46

Variable to the recipient's address in phpmailer.php, how to close the vulnerability?

Good afternoon)
The essence of the problem is this:
A site on WP, a feedback form is used.
At the same time, on some pages the recipient addresses are different, that is, in the settings of a particular page there is a field for entering a mail address specifically for this page - the recipient address is expressed by a variable, implemented through redux .
Sending letters goes through the usual phpmailer (5,2,22)
Everything is configured and works correctly
But due to the fact that the recipient's address is expressed as a variable, bots substitute random addresses and send letters to them from the feedback form. In fact, there is spam to random, not even existing mail addresses.
Example from mail.log logs:
mail() on [/var/www/u0123***/data/www/site.su/wp-includes/cl ass-phpmailer.php:698]: To: [email protected] - Headers: Date: Thu , 6 Dec 2018 17:41:56 +0000 From: Mikhail Message-ID: X-Mailer: PHPMailer 5.2.22 (github.com/PHPMailer/PHPM... MIME-Version: 1.0 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 8bit
In this example, sending goes to an incomprehensible address [email protected], all other records have a similar appearance - only the mail addresses change
Examples from access.log logs:
173.249.31.49 – - [ 06/Dec/2018:20:08:47 +0300] "GET / HTTP/1.0" 200 24577 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari /537.36"
173.249.31.49 - - [06/Dec/2018:20:08:49 +0300] "POST / HTTP/1.0" 302 - "site.su/" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36"
Here you can see how the bot entered and left a request, substituting the recipient's email address, which is indicated above.
What can be done in this situation?
Thank you for your attention_)

Answer the question

In order to leave comments, you need to log in

1 answer(s)
A
Alexander, 2018-12-06
@NeiroNx

Make it so that the addresses to which the letter will be sent are not transferred in a variable.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question