Re: Secure Form Script?
From: Stephen Samuel (samuel_at_bcgreen.com)
Date: Thu, 13 May 2004 14:55:36 -0700 To: Michael Rice <email@example.com>, firstname.lastname@example.org
Why not just a form that accepts a subject, a sender email
and a text message, then mails that to a specific user.
Even if manage to hijack the fields due to improperly vetted
input, you'd still only end up with the input going to one
possible person (the recipient is specified on the (fixed))
Michael Rice wrote:
>>Can someone point me to a discussion about the issues involved with
>>hijacking web forms? In the applications I write, the destination address
>>is usually stored on the server, either in the script itself, or in a
>>configuration file, or in a database. I don't see how someone could use
>>such a script to change the destination address and point it at a list
>>of addresses belonging to spam victims.
> It's usually not sufficient to store the to addresses on the server
> and/or obfuscate the parameters used for the other input fields.
> Consider a form that constructs the email like:
> Date: $local->date
> From: $form->from
> To: $local->to
> Subject: $form->subject
> So, to hijack this form, I would construct a subject like:
-- Stephen Samuel +1(604)876-0426 email@example.com http://www.bcgreen.com/~samuel/ Powerful committed communication. Transformation touching the jewel within each person and bringing it to light.