[thelist] Email header injection
Kasimir K
evolt at kasimir-k.fi
Fri Nov 11 16:45:29 CST 2005
Noah St. Amand scribeva in 2005-11-11 17:40:
> 1. setting a hidden variable in the form,
How about creating an unique id each time the form is requested, saving
that id in a db and putting it also in the form in a hidden field. When
a POST request is received the value of the hidden field must be found
in the db or the script exits.
As the bot only makes the submitting request it can't have a correct
value for the hidden field, however clever it is.
Even for forms that don't put any user input in the mail message's
headers, this approach would save the annoyance of receiving the attempts.
.k
More information about the thelist
mailing list