Re: query string passing woes........ help... please....

rcoan@xxxxxxxxxxxxxxxxxx wrote:
You form as it stands can
be used to spam anyone.

Actually I don't really see a way of it being used to send spam to
anyone really. Unless they actually key in the query string. The
email address that's being passed via the query string is from a
database of email addresses that are location specific. In other
words these people are expecting the emails and for there to be some
junk mail possibly. So I'm not too worried about the spam issue as of
right now but I will keep an eye out for it. Thanks.

The problem is if you allow people send a "From" address with the form,
as there isn't any real from argument in the mail function, you are
instead using the mail header directly and then you can add other things
like bcc/cc to the header and that way send out mail to more than one
person at the time.

It don't hurt to check all variables used in the mail function, if
detecting header injection, then abort the mailing (easy check is to
compare the size of the variable before and after removing all \r\n, if
the same no header injection was attempted, otherwise it's a try to spam).


--

//Aho
.

Relevant Pages

  • Re: php mail form and spam
    ... PHP script that handles the form input takes in account ... The problem is that someone is sending me spam using that form. ... some automated robot is doing that. ... other address using header injection, do you take steps to stop header ...
    (comp.lang.php)
  • Re: query string passing woes........ help... please....
    ... |>>> be used to spam anyone. ... | instead using the mail header directly and then you can add other things ... | the same no header injection was attempted, otherwise it's a try to spam). ... the emailInput array is normally just going to have a subject and a ...
    (alt.php)
  • Re: query string passing woes........ help... please....
    ... Unless they actually key in the query string. ... So I'm not too worried about the spam issue as of ... |> i'd also work on your validation. ... it needs to be FAR more graceful than ...
    (alt.php)
  • Re: mail forms being abused
    ... $subject this is a dangerous place to inject extra headers to, but could be possible, newlines may cause that the sending of the mail fails and newlines are a must to inject extra headers. ... Now I don't know how you use the mail function, but if you have something like this ... As you most likely then use that value directly to your mail, which then allows the spammer to just change the value to what ever e-mail address they want to spam. ... If the value is something else than you have defined, then a spammer tried to spam and no point in sending the mail, of course you could make it nicer with an error message, than just kill the script. ...
    (alt.php)
  • Re: query string passing woes........ help... please....
    ... |>>be used to spam anyone. ... Unless they actually key in the query string. ... ass-cheecks wide...THAT would be the 'eye' you're keeping out for it. ... i'd also work on your validation. ...
    (alt.php)