[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Dodgy formmail.pl?

Subject: Re: [cobalt-users] Dodgy formmail.pl?
From: Parker Morse <morse@xxxxxxxxxxx>
Date: Wed Jan 8 06:06:02 2003
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

On Wednesday, January 8, 2003, at 07:54  AM, Dan Kriwitsky wrote:

Are you sure the email address isn't specified in the form someplace so
that it can't be abused?

I'm sure Dan meant to say, the email address should be specified in theSCRIPT someplace so that it can't be abused. If the address is specifiedin the form, say as a value in a hidden field, an abuser could simplychange that address in their http request, right?


Judging from the posted script:

# 3) If you are using this CGI for multiple users you can specify who
#    the message should be sent to by adding a
#                <input type=hidden name="to"
value="your-email@xxxxxxxxxxx">
#                <input type=hidden name="redir"
value="http://www.thankspageURL";>
#

...that does look pretty insecure to me, yes, unless the script itself hasbeen rewritten specifically to ignore the "to" value handed in from thehttp request and use only its hardwired default.

pjm

Follow-Ups:
- RE: [cobalt-users] Dodgy formmail.pl?
  - From: Alfredo Musse T.
- RE: [cobalt-users] Dodgy formmail.pl?
  - From: Dan Kriwitsky

References:
- RE: [cobalt-users] Dodgy formmail.pl?
  - From: Dan Kriwitsky

Prev by Date: Re: [cobalt-users] DNS Serial Numbers
Next by Date: Re: [cobalt-users] DNS Serial Numbers
Previous by thread: RE: [cobalt-users] Dodgy formmail.pl?
Next by thread: RE: [cobalt-users] Dodgy formmail.pl?

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index