Bugtraq mailing list archives
Re: CORRECTION to CODE: FormMail.pl can be used to send anonymous email
From: Steffen Dettmer <steffen () dett de>
Date: Mon, 12 Mar 2001 11:13:18 +0100
* Joel Sing wrote on Mon, Mar 12, 2001 at 15:05 +1100:
In any case it wouldn't be difficult to send a fake referer as it's only a HTTP request header and the server is only believing what the client is telling it. Write a simple Perl script that sends a manipulated GET request with a fake referer header and you have yourself a nice spam mailer... :(
Yes, and because of that this is not a fix. It's stupid to rely on data from an untrusted client. The eMail destination address should not be taken from the client but configured local only (or maybe signed). I see often such "solutions", it's a generic problem. Some CGI scripts sent unsecured data they will need later in a form (as HIDDEN fields or so), and _rely_ on that data. A simple solution could be: concat all security relevant field in the CGI script, add a secret phrase, and hash it (with MD5 or so). Transfer that hash as HIDDEN field too. If the CGI gets an request with filled fields, after concat and appending of the secret it hashes the HIDDEN fields (normally they cannot get modified), and compares the hash with the value from the hidden field. I don't know how secure that is, but I think it's not trivial to break. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
Current thread:
- CORRECTION to CODE: FormMail.pl can be used to send anonymous email Michael Rawls (Mar 11)
- Re: CORRECTION to CODE: FormMail.pl can be used to send anonymous email Palmans Pepijn (Mar 12)
- Re: CORRECTION to CODE: FormMail.pl can be used to send anonymous email Joel Sing (Mar 12)
- Re: CORRECTION to CODE: FormMail.pl can be used to send anonymous email Steffen Dettmer (Mar 12)
- Re: CORRECTION to CODE: FormMail.pl can be used to send anonymous email Steve Reid (Mar 13)
- Re: CORRECTION to CODE: FormMail.pl can be used to send anonymousemail Scott Buchanan (Mar 12)
- Message not available
- Re: CORRECTION to CODE: FormMail.pl can be used to send anonymousemail Scott Buchanan (Mar 13)
- Message not available
- Re: CORRECTION to CODE: FormMail.pl can be used to send anonymous email Steve Reid (Mar 12)