[ic] Mail forms under attack!!

maillists lists at gmnet.net
Fri Jan 20 00:13:21 EST 2006


On Thu, 2006-01-19 at 22:48 -0500, Daniel Davenport wrote:
> 
> Also keep in mind, any form mailer that has the "To" address in a CGI
> field is by its very nature prone to abuse.  The destination address
> should _never_ be directly settable by the user; if you must make the
> address selectable, at least check it against a short list of allowed
> recipients.
> 
> For reference....just because the field is hidden in a form, that
> doesn't mean that it can't be set at will by a hacker or by a bot
> designed to abuse email-us pages.  If you already know who the email
> will go to, it's better to set the address as a scratch variable -- or
> even hard-code it into the page -- than to allow Joe User the chance to
> hijack your contact form.
> 
> I haven't seen the form in question, so this is all just a cautionary
> note.  I've just seen way too many form mailers and contact pages that
> had similar weaknesses.
> 
> --
> Daniel Davenport
> New Age Digital
> http://www.newagedigital.com


Thanks so much EVERYBODY for helping with this, I'm pretty sure that I
have it fixed! (fingers xed) and again I sincerely apologize if any of
your were hit with spam from my server.  As it turns out I'm fairly
certain that it was not IC at all, but a PHP contact form! (I will no
longer host postnuke sites, only IC or static html!)

Anyway, I think it is in line that I submit to a jury of my peers (IC
List -- even though I am only a glorified newbe) as to what my sentence
should be for being a bad host! Community service? Adopt a website? Free
hosting for some time to a non-profit? I await your verdict... :)

Thanks ICDevGroup and List Users!
Rick





More information about the interchange-users mailing list