[thelist] Mail script exploits WAS: Spam Cop??
Jeroen Sangers
evolt at jeroensangers.com
Thu Feb 13 11:53:01 CST 2003
Koutoulas, Pete <PKOUTOUL at Fayette.k12.ky.us> wrote:
> I scanned that document, but as far as I can tell any of the exploits
> mentioned only work because the Formmail script is designed to send
> mail to an arbitrary address or list of addresses specified in hidden
> form fields. As I mentioned, my very simple script has my email
> address hard-coded into it. The way I see it, the worst thing that
> can happen is that I get the occasional flood of blank messages from
> people messing around with the form. I don't see how it could be
> exploited to send mail to any other address but mine. Am I wrong?
Further suggestions:
- check in the script the referrers calling your script (normally only your
web site)
- disable GET method
- check whether it is possible to override your hard-coded recipient by
adding variables to the URL
Kind regards,
Jeroen Sangers
www.jeroensangers.com
www.fimcap.org
More information about the thelist
mailing list