RE: Secure Form Script?
From: Bryce Porter (bporter_at_heart.net)
Date: 05/14/04
- Previous message: Stephen Samuel: "Re: Secure Form Script?"
- Maybe in reply to: Victor Daniel a.k.a the MacNut: "Secure Form Script?"
- Next in thread: Stephen Samuel: "Re: Secure Form Script?"
- Reply: Stephen Samuel: "Re: Secure Form Script?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 14 May 2004 14:36:28 -0500 To: "Stephen Samuel" <samuel@bcgreen.com>, <focus-linux@securityfocus.com>
Or you can write your own script in Perl (or your language of choice)
that accepts a single To: parameter from an html form and runs the input
through a regular expression to "cleanse" the data. Then, perform the
actual sending using something like Net::SMTP, et. al. Never interface
directly with the sendmail binary, and never use a script that does. Let
me know if you need some help.
Regards,
Bryce Porter
Network Administrator
Heart Technologies, Inc.
bporter@heart.net
http://www.heart.net/
309.633.2800 Technical Support
309.634.2282 Direct
309.634.2382 Fax
-----Original Message-----
From: Stephen Samuel [mailto:samuel@bcgreen.com]
Sent: Thursday, May 13, 2004 4:56 PM
To: Michael Rice; focus-linux@securityfocus.com
Subject: Re: Secure Form Script?
Why not just a form that accepts a subject, a sender email
and a text message, then mails that to a specific user.
Even if manage to hijack the fields due to improperly vetted
input, you'd still only end up with the input going to one
possible person (the recipient is specified on the (fixed))
sendmail commandline).
Michael Rice wrote:
>>Can someone point me to a discussion about the issues involved with
>>hijacking web forms? In the applications I write, the destination
address
>>is usually stored on the server, either in the script itself, or in a
>>configuration file, or in a database. I don't see how someone could
use
>>such a script to change the destination address and point it at a list
>>of addresses belonging to spam victims.
>
>
> It's usually not sufficient to store the to addresses on the server
> and/or obfuscate the parameters used for the other input fields.
>
>
> Consider a form that constructs the email like:
>
> Date: $local->date
> From: $form->from
> To: $local->to
> Subject: $form->subject
>
> $form->body
>
> So, to hijack this form, I would construct a subject like:
-- Stephen Samuel +1(604)876-0426 samuel@bcgreen.com http://www.bcgreen.com/~samuel/ Powerful committed communication. Transformation touching the jewel within each person and bringing it to light.
- Previous message: Stephen Samuel: "Re: Secure Form Script?"
- Maybe in reply to: Victor Daniel a.k.a the MacNut: "Secure Form Script?"
- Next in thread: Stephen Samuel: "Re: Secure Form Script?"
- Reply: Stephen Samuel: "Re: Secure Form Script?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
