|
|
Posted by Kim Andrι Akerψ on 09/27/70 11:34
Erwin Moller wrote:
> xmp333@yahoo.com wrote:
>
> > Hello,
> >
> >
> > A spammer is apparently using email injection on my form, however
> > my I thought email injection requires mainpulation of the headers
> > parameter in mail() and I'm not using that parameter. My mail call
> > looks like:
> >
> > mail($to,$subj,$body)
> >
> > So how is the spammer getting me? Is mail() translating to a raw
> > stream so that headers can be inserted in the body, or is there some
> > kind of buffer overflow that can be exploited? Since I'm using
> > dynamic variables, I can't see how this would occur, but then I'm
> > no PHP expert.
> >
> > Any help would be greatly appreciated. I know beefing up input
> > validation should take care of this, but I want to understand what
> > the spammer is doing so I can reproduce and validate this fix.
> >
>
> Hi,
>
> Log $to, $subj, $body somewhere (flatfile or database).
> Check after spamming what the spammer did.
And while you're at it, don't forget to include the IP address of the
offender as well (environmental variable REMOTE_ADDR).
--
Kim AndrΓ© AkerΓΈ
- kimandre@NOSPAMbetadome.com
(remove NOSPAM to contact me directly)
Navigation:
[Reply to this message]
|