[thelist] Mail script exploits WAS: Spam Cop??

Jeroen Sangers evolt at jeroensangers.com
Thu Feb 13 11:53:01 CST 2003

Koutoulas, Pete <PKOUTOUL at Fayette.k12.ky.us> wrote:
> I scanned that document, but as far as I can tell any of the exploits
> mentioned only work because the Formmail script is designed to send
> mail to an arbitrary address or list of addresses specified in hidden
> form fields. As I mentioned, my very simple script has my email
> address hard-coded into it. The way I see it, the worst thing that
> can happen is that I get the occasional flood of blank messages from
> people messing around with the form. I don't see how it could be
> exploited to send mail to any other address but mine. Am I wrong?

Further suggestions:

- check in the script the referrers calling your script (normally only your
web site)
- disable GET method
- check whether it is possible to override your hard-coded recipient by
adding variables to the URL

Kind regards,

Jeroen Sangers


More information about the thelist mailing list