Reply to Re: Email Injection w/ Out Header?

Your name:

Reply:


Posted by xmp333 on 10/25/56 11:34

Gordon Burditt wrote:

> Are the contents of $to and $subj in any way whatever dependent
> on form input? Is there any way either of those variables could
> be made to contain a newline or carriage return? If so, that's
> how they are doing it. Remember, the spammer NEED NOT use your
> form so any Javascript checking is useless.
>
> Look at the headers of any mail message, and consider what
> happens if $subj = "Make Money fast\r\nCc: spamee@aol.com".
>
> Gordon L. Burditt

$to is not dependent on form input, but $subj is. This explains it --
I wanted to make sure because all the information I found on email
injection stated the header was used to mainpulate the form. However,
knowing what I know of mail() and Unix in general, it seemed possible
to inject arbitrary headers elsewhere if the parameters were simply
appended and the call translated to a raw text stream anyway, which
looks like the case.

Thanks.

[Back to original message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация