Re: Secure Form Script?

• Previous message: Michael Rice: "Re: Secure Form Script?"
• In reply to: Michael Rice: "Re: Secure Form Script?"
• Next in thread: Geoffrey: "Re: Secure Form Script?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 13 May 2004 14:55:36 -0700
To: Michael Rice <michael@riceclan.org>, focus-linux@securityfocus.com

Why not just a form that accepts a subject, a sender email
and a text message, then mails that to a specific user.
Even if manage to hijack the fields due to improperly vetted
input, you'd still only end up with the input going to one
possible person (the recipient is specified on the (fixed))
sendmail commandline).

Michael Rice wrote:
>>Can someone point me to a discussion about the issues involved with
>>hijacking web forms? In the applications I write, the destination address
>>is usually stored on the server, either in the script itself, or in a
>>configuration file, or in a database. I don't see how someone could use
>>such a script to change the destination address and point it at a list
>>of addresses belonging to spam victims.
>
>
> It's usually not sufficient to store the to addresses on the server
> and/or obfuscate the parameters used for the other input fields.
>
>
> Consider a form that constructs the email like:
>
> Date: $local->date
> From: $form->from
> To: $local->to
> Subject: $form->subject
>
> $form->body
>
> So, to hijack this form, I would construct a subject like:

-- 
Stephen Samuel +1(604)876-0426                samuel@bcgreen.com
		   http://www.bcgreen.com/~samuel/
    Powerful committed communication. Transformation touching
      the jewel within each person and bringing it to light.

• Previous message: Michael Rice: "Re: Secure Form Script?"
• In reply to: Michael Rice: "Re: Secure Form Script?"
• Next in thread: Geoffrey: "Re: Secure Form Script?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]