Posted by Curt Zirzow on 11/04/05 22:52

On Thu, 03 Nov 2005 21:17:39 -0500, John Taylor-Johnston wrote:

> Ok, you are all used to working with register_gloabsl=off.
>
> mail($to, stripslashes($subject), wordwrap($message, 60), "From:
> $from\r\n");
>
> I change this line to:
>
> mail($to, stripslashes($_POST["subject"]), wordwrap($_POST["message"],
> 60), "From: $_POST["from"]\r\n");

You do realize you have an open relay. I can send in the post data:

&subject=I%20Love%20Your&from=something\r\nBCC:moreaddresses&message=a_mime_encoded_virus

Dont trust tainted variables, you should really fix that.


Curt.
--
http://news.zirzow.dyndns.org/

[Back to original message]