[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Help with cgi script attack



On Sun, 2006-03-19 at 13:31 +0000, Dave Cross wrote:
> It's a common problem with badly written formmail programs. The rule
> of thumb should be that you only send fixed text to email addresses
> that come from form input and only send form input data to fixed email
> addresses.

That's a little unclear...  Being more clear about it:

Don't let a mailform script send mail to an address that's provided by
the form (in any manner).  Spammers will provide their own addresses to
your script that they want to send spam to.  They may write their own
form, putting in their own recipients fields, or if you're silly enough
to put a form on your site that lets them specify an address, they'll
use that.

Have the addresses the form will be allowed to send mail to configured
elsewhere, where no-one else can set them.  And have your script
configured to only allow sending to those addresses.

The NMS form mail script works that way.  In your form you have some
aliases for recipients, that the form script will use to determine which
address to send to.

e.g. Your form may specify that the recipient is the "author".
     The script has a table of addresses, and "author" refers to
     mailing webmaster example com

If you leave your system open to abuse, it will be abused.  Eventually
you'll end up on some blacklist, or several, and you won't be able to
send mail to any system that uses them.

-- 
Don't send private replies to my address, the mailbox is ignored.
I read messages from the public lists.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]