[prev in list] [next in list] [prev in thread] [next in thread]
List: interchange-users
Subject: RE: [ic] Mail forms under attack!!
From: maillists <lists () gmnet ! net>
Date: 2006-01-20 5:13:21
Message-ID: 1137734002.12955.164.camel () localhost
[Download RAW message or body]
On Thu, 2006-01-19 at 22:48 -0500, Daniel Davenport wrote:
>
> Also keep in mind, any form mailer that has the "To" address in a CGI
> field is by its very nature prone to abuse. The destination address
> should _never_ be directly settable by the user; if you must make the
> address selectable, at least check it against a short list of allowed
> recipients.
>
> For reference....just because the field is hidden in a form, that
> doesn't mean that it can't be set at will by a hacker or by a bot
> designed to abuse email-us pages. If you already know who the email
> will go to, it's better to set the address as a scratch variable -- or
> even hard-code it into the page -- than to allow Joe User the chance to
> hijack your contact form.
>
> I haven't seen the form in question, so this is all just a cautionary
> note. I've just seen way too many form mailers and contact pages that
> had similar weaknesses.
>
> --
> Daniel Davenport
> New Age Digital
> http://www.newagedigital.com
Thanks so much EVERYBODY for helping with this, I'm pretty sure that I
have it fixed! (fingers xed) and again I sincerely apologize if any of
your were hit with spam from my server. As it turns out I'm fairly
certain that it was not IC at all, but a PHP contact form! (I will no
longer host postnuke sites, only IC or static html!)
Anyway, I think it is in line that I submit to a jury of my peers (IC
List -- even though I am only a glorified newbe) as to what my sentence
should be for being a bad host! Community service? Adopt a website? Free
hosting for some time to a non-profit? I await your verdict... :)
Thanks ICDevGroup and List Users!
Rick
_______________________________________________
interchange-users mailing list
interchange-users@icdevgroup.org
http://www.icdevgroup.org/mailman/listinfo/interchange-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic