Posted by Anze on 03/19/07 13:47

> Then create the"email.php" page, for which it wouldn't be a lot different
> from:
>
> <?php
> $email = $_POST['email'];
> $url = $_POST['url'];
> $headers = "From: info@mycompany.com \r\n";
> $headers.= "Content-Type: text/html; charset=ISO-8859-1 ";
> $headers.= "MIME-Version: 1.0 ";
> $body = "Check out this website\r\n";
> $body.= $url;
> $body = "Thanks\r\n";
> $body = "From ...\r\n";
> mail($email, "Check out this page", $body, $headers);
> ?>

....and please let me know where your page is on the Internet so I can send
unlimited spam over your script!!!!! :)

Seriously: don't use this answer unless you know how to secure the
script!!!!!!! There are spam bots cruising on the internet just searching
for script with this exact vulnerability. Your provider will get very angry
at you sooner or later (usually sooner ;).

You should always check user input (there was some "emailvalidation.php"
class by Lemos that checks e-mails). And of course, anyone could set most
of the body of the e-mail to pretty much anything (through $_POST['url']).

Hint: search google for "mail header injection".

I hate spam. :)

Anze

[Back to original message]