|
|
Posted by J.O. Aho on 02/28/07 18:25
rcoan@chaparralboats.com wrote:
>>> You form as it stands can
>>> be used to spam anyone.
>
> Actually I don't really see a way of it being used to send spam to
> anyone really. Unless they actually key in the query string. The
> email address that's being passed via the query string is from a
> database of email addresses that are location specific. In other
> words these people are expecting the emails and for there to be some
> junk mail possibly. So I'm not too worried about the spam issue as of
> right now but I will keep an eye out for it. Thanks.
The problem is if you allow people send a "From" address with the form,
as there isn't any real from argument in the mail function, you are
instead using the mail header directly and then you can add other things
like bcc/cc to the header and that way send out mail to more than one
person at the time.
It don't hurt to check all variables used in the mail function, if
detecting header injection, then abort the mailing (easy check is to
compare the size of the variable before and after removing all \r\n, if
the same no header injection was attempted, otherwise it's a try to spam).
--
//Aho
Navigation:
[Reply to this message]
|