Reply to Re: [PHP] XSS via curl

Your name:

Reply:


Posted by Chris Shiflett on 10/03/77 11:33

Sandy Keathley wrote:
> My company uses a home-grown formmail script for clients
> <groan>, and someone is using curl to inject HTTP headers
> and spam email addresses, and turn it into an open relay.
> Yes, I know the right answer is to not use a formmail,
> but I don't make the rules here.
>
> Is there a way to detect that a script is being accessed
> by curl, and not by a browser?

It sounds like you have a PHP script with a security vulnerability, and
you think that restricting what the client uses to request the script is
going to fix it. This is not a good approach. Just fix the problem. :-)

For example, filter the data you receive from the client before passing
it as arguments to the mail() function.

Hope that helps.

Chris

--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/

[Back to original message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация