|
|
Posted by Curt Zirzow on 11/04/05 22:52
On Thu, 03 Nov 2005 21:17:39 -0500, John Taylor-Johnston wrote:
> Ok, you are all used to working with register_gloabsl=off.
>
> mail($to, stripslashes($subject), wordwrap($message, 60), "From:
> $from\r\n");
>
> I change this line to:
>
> mail($to, stripslashes($_POST["subject"]), wordwrap($_POST["message"],
> 60), "From: $_POST["from"]\r\n");
You do realize you have an open relay. I can send in the post data:
&subject=I%20Love%20Your&from=something\r\nBCC:moreaddresses&message=a_mime_encoded_virus
Dont trust tainted variables, you should really fix that.
Curt.
--
http://news.zirzow.dyndns.org/
Navigation:
[Reply to this message]
|