Myreader.co.uk  
uk news, chat and community
   home   |   control panel login   |   archive   |  
 
net
net
news.announce
news.config
news.management
news.moderation
providers
providers.aaisp
web.authoring
  
 
date: Fri, 02 May 2008 09:15:08 +0100,    group: uk.net.web.authoring        back       
Re: Huge bandwidth increase with no sensible reason    
Tony  wrote:
> We also have a web form sending mail to us via a script.  We normally
> see a certain amount of attempts to inject using that but I think
> (!) it is secure as the To address is hard coded.

That doesn't mean it's secure. What can matter is /how/ the "To" address
is hard-coded (i.e. message envelope or message headers).

The usual way of breaking a form/mail script is to inject a sender
email address that contains a newline followed by a legitimate "To:"
header. If the form/mail script is configured then to send its email by
reading the resulting mail message headers instead of using a hard-coded
envelope address then you've got a successful attack vector.

If you use the NMS formmail script I'll accept that it's secure.
Otherwise all bets are off.

Chris
date: Fri, 02 May 2008 09:15:08 +0100   author:   Chris Davies

Google
 
Web myreader.co.uk


    COPYRIGHT 2007, YARDI TECHNOLOGY LIMITED, ALL RIGHT RESERVE  |   contact us