[thelist] Email header injection

Kasimir K evolt at kasimir-k.fi
Fri Nov 11 10:40:31 CST 2005

Liam Delahunty scribeva in 2005-11-11 16:09:
> Anyway, one simple addition to the form (this is in php) Just check if
> the form has been submit ed from the web page.


This is good idea, but has some problems. The request headers are like:

     [Referer] => http://www.kasimir-k.fi/
     [Host] => www.kasimir-k.fi
     [Content-Type] => application/x-www-form-urlencoded
     [Connection] => Keep-Alive
     [Content-Length] => 332

So as on the web there are no links to my site that would include the 
script name (index.php), then the spiders have no way of knowing it. But 
if there were such links, then this method would fail, wouldn't it?

And the other problem is, that this would give false alarms: many people 
choose to hide the Referer for various reasons. And I believe that some 
firewalls do this by default (no sure though).


More information about the thelist mailing list