I have a fairly straight forward PHP script running the contact page on my site here: http://twistedmelon.com/contact/contact.php which is apparently being exploited to send out mail to arbitrary addresses (perhaps the sends are failing, but it's still trying to be exploited nonetheless)

Recently I've been receiving a lot of bounced mail back to my domain but it wasn't using a simple spoofed FROM address. I asked the support guys at Dreamhost to look into it for me and this is what they discoved what I mentioned above.

The script/page don't allow any free-form input except from address, subject and message body. The wayh a destination address is selected is by picking an entry from a pop-up menu that just contains a value for a simple variable. That value is not actually the address. That variable is then used internally in the script to pick an address. The destination addresses are hard-coded in the script and are processed only server-side.

I didn't think this was exploitable but I'm no PHP or web security expert. Here's what Dreamhost staff wrote back to me:

Quote:

After further review, I take back the spoofing statement. It does
actually seem like the spammers are exploiting a script on your account.
From our mail logs, where is what I found about that specific email:
/var/log/mail.log:Mar 6 09:25:14 alondra postfix/pickup[6833]:
2CF7830538: uid=654843 from=<hybrid8>
/var/log/mail.log:Mar 6 09:25:14 alondra postfix/cleanup[5301]:
2CF7830538: message-id=<[email protected]>
/var/log/mail.log:Mar 6 09:25:14 alondra postfix/cleanup[5301]:
2CF7830538: to=<unknown>, relay=none, delay=0, status=bounced (No
recipients specified)
alondra: 0

which corresponds to this entry in your access log for twistedmelon.com:
/home/hybrid8/logs/twistedmelon.com/http/access.log:216.133.248.226 - -
[06/Mar/2007:09:25:14 -0800] "POST /contact/contact.php HTTP/1.0" 200 0
"http://twistedmelon.com/contact/contact.php?to=sales&subject=Alternate%2
0Payment%20Gateway%20Requested" "Opera/9.0 (Windows NT 5.1; U; en)"

It looks like your contact form is getting exploited. Luckily we have put
in a fix in our mod_security setup to stop this. However you will need to
turn ON mod_security in order for it shield your contact script from
common injection attacks . To turn on mod_security for your domain, just
click "extra security" for your domain after you click the tool under the
"web hosting" column

Other than turning on this option they mention, is there any way to secure my script via the way it's written/implemented? I'd like to know if only for my own sanity. There may also be a problem with the Mint statistic tracking installation with this option set (which I'm about to confirm).

I can provide the source for the script in PM or email if anyone can help. Thanks.