Help with cgi script attack
Tim
ignored_mailbox at yahoo.com.au
Mon Mar 20 00:42:26 UTC 2006
On Sun, 2006-03-19 at 13:31 +0000, Dave Cross wrote:
> It's a common problem with badly written formmail programs. The rule
> of thumb should be that you only send fixed text to email addresses
> that come from form input and only send form input data to fixed email
> addresses.
That's a little unclear... Being more clear about it:
Don't let a mailform script send mail to an address that's provided by
the form (in any manner). Spammers will provide their own addresses to
your script that they want to send spam to. They may write their own
form, putting in their own recipients fields, or if you're silly enough
to put a form on your site that lets them specify an address, they'll
use that.
Have the addresses the form will be allowed to send mail to configured
elsewhere, where no-one else can set them. And have your script
configured to only allow sending to those addresses.
The NMS form mail script works that way. In your form you have some
aliases for recipients, that the form script will use to determine which
address to send to.
e.g. Your form may specify that the recipient is the "author".
The script has a table of addresses, and "author" refers to
mailing webmaster at example.com
If you leave your system open to abuse, it will be abused. Eventually
you'll end up on some blacklist, or several, and you won't be able to
send mail to any system that uses them.
--
Don't send private replies to my address, the mailbox is ignored.
I read messages from the public lists.
More information about the fedora-list
mailing list