[thelist] Email header injection

M. Seyon evoltlist at delime.com
Fri Nov 11 08:40:09 CST 2005

Message from Kasimir K (11/11/2005 02:26 PM)

>Nick Wilsdon scribeva in 2005-11-11 13:10:
> > If they can turn the form
> > into HTML they have an opportunity to use HEX characters, which you aren't
> > stripping out there.
>But aren't both \n and %0A just different ways of presenting 00001010?

I strip the phrase Content-Type as well as those strings you mentioned.

>bcc: onemoreaddress at hotpop.com

I'll be keeping an eye on this thread as I got a bunch of these last night 
with this same bcc address.


More information about the thelist mailing list