[thelist] Email header injection
Kasimir K
evolt at kasimir-k.fi
Fri Nov 11 10:40:31 CST 2005
Liam Delahunty scribeva in 2005-11-11 16:09:
> Anyway, one simple addition to the form (this is in php) Just check if
> the form has been submit ed from the web page.
> if ($HTTP_REFERER != $SCRIPT_URI){
This is good idea, but has some problems. The request headers are like:
[Referer] => http://www.kasimir-k.fi/
[Host] => www.kasimir-k.fi
[Content-Type] => application/x-www-form-urlencoded
[Connection] => Keep-Alive
[Content-Length] => 332
So as on the web there are no links to my site that would include the
script name (index.php), then the spiders have no way of knowing it. But
if there were such links, then this method would fail, wouldn't it?
And the other problem is, that this would give false alarms: many people
choose to hide the Referer for various reasons. And I believe that some
firewalls do this by default (no sure though).
.k
More information about the thelist
mailing list