It depends what the form does. If it allows file uploads, then definitely yes, this is a major attack vector. If it allows the malicious user to modify the pages of the site, through commenting or other sorts of unmoderated updates, then yes also, through another trick called XSS (Cross Site Scripting).
But the feedback form is neither of these things, and Tim has done a very good job of making it secure. About the only thing I can imagine it being able to do is to blindly Bcc: a bunch of messages out (I’m pretty sure it couldn’t be tricked into that, but this is PHP, so hard to say) but as for taking over your server, that’s a big fat no in my opinion.
Unless your site runs on a VPS (Virtual Private Server) or a co-located server where you have root, it’s never completely possible to pin the blame on something YOU did. Most modern hosting providers put hundreds or thousands of sites on the same Apache server, and that’s fine – Apache was designed for that – but they make it possible for one site to be compromised by something dumb done in another. Ask your host if they can provide a list of the following running on the same server (no names, but yes or no, and version if possible). These are the big attack surfaces that I know of:
- PHP BB
- phpMyAdmin (older versions)
- Joomla!
- Wordpress
The problem with these is that they are widely installed by users who don’t keep up with the security updates. Their host provides a One Click Installer! and they dutifully Click Once. Then they never think about it again. There are automated attack utilities that are written by bad people and either given away or sold for a reasonable rate to “script kiddies” who are out for bragging rights, a cheap thrill, or a trove of unsecured credit card numbers. (From their perspective, it’s like fishing with dynamite. Light the fuse, and see what floats to the surface.) These utilities probe the whole net, all day long, looking for out-of-date versions of these common platforms, and exploit well-known weaknesses to gain a foothold. Once they get into one host on the server, it’s often trivial to jump over the walls into other hosts. You need not necessarily be to blame here.
Since your business is the net, and since you just learned an expensive lesson in how much it can cost you to be off the net, it might be time to invest in a private server. These are not especially expensive any more, but they are at least 10 times more expensive than commodity “shared” hosting. But if it’s the difference between paying $100 a year or $1,000, ask yourself this: how long does it take you to bill $900? That’s how many hours and minutes you can afford to spend on cleaning up this mess the next time. I guarantee, you’ve already spent that several times over this time around.
Walter
On Sep 15, 2011, at 9:57 AM, Jamie Turner wrote:
Hi, Folks –
My site was hacked into the other day. I’ve spent the past 72 hours trying to fix the problem.
freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options