--- Marty Landman <[EMAIL PROTECTED]> wrote: > > ... > >check the referer, that's no protection either! An > >experienced programmer can easily use Perl's LWP > >module or its equivalent in some other language to > >make the request with a faked referer variable. So > >really, POST variables are no more secure than GET > >variables, it just takes a little more doing to > fake > >them. > > Didn't realize this. What exactly is the right > procedure then to safeguard > scripts such as formmailers from being hijacked?
--- Marty Landman <[EMAIL PROTECTED]> wrote: > Didn't realize this. What exactly is the right > procedure then to safeguard > scripts such as formmailers from being hijacked? Not sure if there is a way. We had a big discussion a few weeks back about a certain classic form mailer script (and let's not resurrect it please!), and from what I could tell, one of the improvements made by the recommended replacement was that it put a limit on the number of simultaneous target addresses, to prevent spamming. This makes me think there's really no way to enforce who is calling you. But I don't know that for sure. Ovid's point a few messages ago that you shouldn't trust anything outside your own box also seems relevant. Anyone with more security experience want to take a crack at this? (Where's that guy who flamed me last year when I need him? :-) - John ===== "Now it's over, I'm dead, and I haven't done anything that I want; or, I'm still alive, and there's nothing I want to do." - They Might Be Giants, http://www.tmbg.com __________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
