[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] Dodgy formmail.pl?

Why don't try to use BNBFORM.CGI?
http://www.bignosebird.com/carchive/bnbform.shtml

In the HTML form uses a hidden field "submit_to" where you specify the email
address but this script has an allowed domains feature that way nobody
outsite your server can send email.

@okaydomains=("http://www.mediaim.com";, "http://216.234.186.171";)


Alfredo Musse T.
media improvement - solutions for the digital world
Telf. (511)562-0216
amusse@xxxxxxxxxxx
http://www.mediaim.com


-----Mensaje original-----
De: cobalt-users-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-users-admin@xxxxxxxxxxxxxxx]En nombre de Parker Morse
Enviado el: Miercoles, 08 de Enero de 2003 09:02 a.m.
Para: cobalt-users@xxxxxxxxxxxxxxx
Asunto: Re: [cobalt-users] Dodgy formmail.pl?


On Wednesday, January 8, 2003, at 07:54  AM, Dan Kriwitsky wrote:
> Are you sure the email address isn't specified in the form someplace so
> that it can't be abused?

I'm sure Dan meant to say, the email address should be specified in the
SCRIPT someplace so that it can't be abused. If the address is specified
in the form, say as a value in a hidden field, an abuser could simply
change that address in their http request, right?

Judging from the posted script:

> # 3) If you are using this CGI for multiple users you can specify who
> #    the message should be sent to by adding a
> #                <input type=hidden name="to"
> value="your-email@xxxxxxxxxxx">
> #                <input type=hidden name="redir"
> value="http://www.thankspageURL";>
> #

...that does look pretty insecure to me, yes, unless the script itself has
been rewritten specifically to ignore the "to" value handed in from the
http request and use only its hardwired default.

pjm

_____________________________________
cobalt-users mailing list
cobalt-users@xxxxxxxxxxxxxxx
To subscribe/unsubscribe, or to SEARCH THE ARCHIVES, go to:
http://list.cobalt.com/mailman/listinfo/cobalt-users