Known insert record hack?

Report · Feb 01, 2007

I'm having problems with comment spammers. For now, I've removed the form table from the pages that allow comments from site users. I'm using a microsoft access database and the Dreamweaver-generated insert record function.

However, it is clear that it is still possible to insert a record into my comment database without having the form table available on a web page. Is this a known exploit? How is it done?

I guess I don't care how they do it, but I do want to know how to prevent it.

Report · Feb 02, 2007

.oO(bchristen)

>I'm having problems with comment spammers. For now, I've removed the form table
>from the pages that allow comments from site users. I'm using a microsoft
>access database and the Dreamweaver-generated insert record function.
>
> However, it is clear that it is still possible to insert a record into my
>comment database without having the form table available on a web page. Is this
>a known exploit? How is it done?

As soon as someone knows the URL of the form processing script, it
doesn't need a form anymore to send arbitrary data to it. It's like
starting a Google search by just clicking on a link like

http://www.google.com/search?q=guestbook+spam

In this case you don't have to use the search form, because the search
script on the server is called directly with the necessary parameters.
The same can be done quite easily for forms that use the POST method to
send their data.

> I guess I don't care how they do it, but I do want to know how to prevent it.

Preventing that is not an easy task, but maybe the link above helps to
get started.

Micha

Report · Feb 02, 2007

As Michael said, once they know the address of the form, they can send data
to the receiving page. There are many programs available to scan the web for
contact forms and forums and post to them automatically, once they have the
address, regular postings are made. I used to have a forum, and took it down
months ago, and still get over a hundred attempts a day to post to it from
bots.

There are ways to avoid it, usually by asking the user to input data and
ignore posts where the data is incorrect or missing (by bots).

A simple solution is to set up an array of simple questions and their
answers, ask a question randomly from the array on the form page and send
the id of the question in a hidden field so you can cross reference it to
the answer. Simple questions which only have one clear answer should be used
such as "What colour is grass". If the answer is wrong you ignore the
posting.

For more advanced solution you can use a CAPTCHA, which shows random text as
an image, and the user has to type in what the image says. Humans can read
it, most bots can't. Do a search on Captcha in google to find more info.

--
Gareth
http://www.phploginsuite.co.uk/
PHP Login Suite V2 - 34 Server Behaviors to build a complete Login system.