RE: Secure Form Script?
From: Bryce Porter (bporter_at_heart.net)
Date: Fri, 14 May 2004 14:36:28 -0500 To: "Stephen Samuel" <email@example.com>, <firstname.lastname@example.org>
Or you can write your own script in Perl (or your language of choice)
that accepts a single To: parameter from an html form and runs the input
through a regular expression to "cleanse" the data. Then, perform the
actual sending using something like Net::SMTP, et. al. Never interface
directly with the sendmail binary, and never use a script that does. Let
me know if you need some help.
Heart Technologies, Inc.
309.633.2800 Technical Support
From: Stephen Samuel [mailto:email@example.com]
Sent: Thursday, May 13, 2004 4:56 PM
To: Michael Rice; firstname.lastname@example.org
Subject: Re: Secure Form Script?
Why not just a form that accepts a subject, a sender email
and a text message, then mails that to a specific user.
Even if manage to hijack the fields due to improperly vetted
input, you'd still only end up with the input going to one
possible person (the recipient is specified on the (fixed))
Michael Rice wrote:
>>Can someone point me to a discussion about the issues involved with
>>hijacking web forms? In the applications I write, the destination
>>is usually stored on the server, either in the script itself, or in a
>>configuration file, or in a database. I don't see how someone could
>>such a script to change the destination address and point it at a list
>>of addresses belonging to spam victims.
> It's usually not sufficient to store the to addresses on the server
> and/or obfuscate the parameters used for the other input fields.
> Consider a form that constructs the email like:
> Date: $local->date
> From: $form->from
> To: $local->to
> Subject: $form->subject
> So, to hijack this form, I would construct a subject like:
-- Stephen Samuel +1(604)876-0426 email@example.com http://www.bcgreen.com/~samuel/ Powerful committed communication. Transformation touching the jewel within each person and bringing it to light.