Re: Secure Form Script?
From: Michael Rice (michael_at_riceclan.org)
Date: 05/12/04
- Previous message: Peter H. Lemieux: "Re: Secure Form Script?"
- In reply to: Peter H. Lemieux: "Re: Secure Form Script?"
- Next in thread: Stephen Samuel: "Re: Secure Form Script?"
- Reply: Stephen Samuel: "Re: Secure Form Script?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Peter H. Lemieux" <phl@cyways.com> Date: Wed, 12 May 2004 08:23:34 -0500
> Can someone point me to a discussion about the issues involved with
> hijacking web forms? In the applications I write, the destination address
> is usually stored on the server, either in the script itself, or in a
> configuration file, or in a database. I don't see how someone could use
> such a script to change the destination address and point it at a list
> of addresses belonging to spam victims.
It's usually not sufficient to store the to addresses on the server
and/or obfuscate the parameters used for the other input fields.
Consider a form that constructs the email like:
Date: $local->date
From: $form->from
To: $local->to
Subject: $form->subject
$form->body
So, to hijack this form, I would construct a subject like:
$form->subject = Hi, I'm hijacking you\r\nFrom:
someplace@silly.or.annoying\r\nTo: whomever@i.want,
and@all.their.friends
Then your MTA does the rest.
The moral here is to always check your inputs.
-- Michael Rice <michael@riceclan.org>
- Previous message: Peter H. Lemieux: "Re: Secure Form Script?"
- In reply to: Peter H. Lemieux: "Re: Secure Form Script?"
- Next in thread: Stephen Samuel: "Re: Secure Form Script?"
- Reply: Stephen Samuel: "Re: Secure Form Script?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
