Contact Forms (Cont’d)

The biggest problem with contact forms is that it is very common for them to have security flaws that allow spammers to send out spam using your website. This is a very serious problem.

The exact security flaw that your website might have will depend on its particular code, but the general idea is as follows.

Analyzing the HTML code, the hacker can get the variables that must be passed to the script available on your website that handles the data sent by the form and which sends the actual email. (The script is the one listed in the “form” tag.)

With this information, the hacker can now try to access the script directly, manipulating the variables. If the script allows the user to configure the destination email address, the hacker can now pass any address he wants to the script, hence allowing him to send spam to anyone.

Let’s say we analyze the HTML code of a form and discover that the name of the script that handles the form is script.php and that the form has fields called from, to, subject, and text. Now, it is very easy for the hacker to access[email protected]&[email protected]&subject=CHEAP%20VIAGRA&text=cheap%20Viagra%20at%20my%20website and send an email to “[email protected]” with the subject “CHEAP VIAGRA” and the text “cheap Viagra at my website.”

We must emphasize that if the contact form script of your website has a security flaw such as this, the hacker will be able to transform your website into a spam server.

As you can see, contact forms that have email addresses on their HTML code (see Figure 2) are the ones easier to exploit, since they have a variable to configure the destination email. However, even if there is no email address on the HTML code, the script may have a hidden variable through which a hacker can configure the destination email. For instance, a hacker will most definitely access the script directly trying variables such as “to” and “email.” If the script allows the external configuration of the destination email address, you are toasted: it is just a matter of time for hackers to discover the name of the variable. This is, of course, a major security flaw.

In summary, the script that handles the contact form must not accept the external configuration of the destination email address.


Gabriel Torres is a Brazilian best-selling ICT expert, with 24 books published. He started his online career in 1996, when he launched Clube do Hardware, which is one of the oldest and largest websites about technology in Brazil. He created Hardware Secrets in 1999 to expand his knowledge outside his home country.