Matt's Script Archive was just updated a couple days ago and includes a
fix similar to mine--I just discovered.
Thanks,
Sterling
Andrew Sterling Hanenkamp wrote:
> Actually, if you use telnet you can write your own headers and say
> you've been refered by whoever you want to say you were refered by and
> then use the script anyway, because you'll just say you came from
> someplace where they have a form. This script is very bad. I submitted
> an update to the archive which adds an additional constraint to it by
> allowing users to only send to certain domains or only certain
> addresses, but I never received word back so I had assumed that the site
> was not very actively maintained.
>
> Any script you write that allows a user to sendmail should ALWAYS CHECK
> THE RECIPIENT to make sure it's not just anyone. I've quit using that
> script in favor of my PHP script that just translates keys given in the
> form into real addresses so that the formmail doesn't even really get
> the ability to send to just anyone.
>
> Sterling
>
> PS - If you or anyone else is interested in the script, I can send it to
> them. (If I get a lot of requests I just post it on my web site since
> Matt's Script Archive never posted my update.)
>
> Thomas Deliduka wrote:
>
>> This is a classic case of someone not having formmail.pl from Matt's
>> Script
>> archive locked down.
>>
>> I found it very interesting that while Matt's Script Archive is setup to
>> block you from using someone else's form as a referer to yours to prevent
>> the use of your script from another server, he simply allows you
>> through if
>> you have no referer at all. And that's how someone used our server
>> several
>> times about 6 months ago. If you format a perfect querystring and
>> simply hit
>> enter on the browser, you can successfully send many people e-mail
>> through
>> formmail.pl if it's not modified to block 'no referer' references.
>>
>> On 7/26/2001 8:29 PM this was written:
>>
>>
>>> Below is the result of your feedback form. It was submitted by
>>> ([EMAIL PROTECTED]) on Thursday, July 26, 2001 at 20:29:47
>>> ---------------------------------------------------------------------------
>>>
>>>
>>> : Join for free Today.
>>> Free Memberships. No Credit Cards Needed.
>>> HUGE Celebrity selection from Jennifer Lopez to Britney Spears.
>>> Also Specializing Streaming Video, Live sex shows for every desire!
>>> This isn't one of those crummy scams where you have touse a credit card!
>>> Take a look and you'll see.
>>> <a href="aol://2000:http://coverme1.devil.ru";>Enter Here</a>
>>>
>>>
>>> <BR><BR><BR><BR><BR><BR><BR>
>>>
>>> You recived this email because you subscribed to a mailing list. If
>>> you would
>>> like to be removed from this mailing list please <a
>>> href="mailto:[EMAIL PROTECTED]";>Click Here!</a><BR><BR><BR><BR><BR><BR><BR>
>>>
>>> ---------------------------------------------------------------------------
>>>
>>>
>>>
>>> --
>>> PHP General Mailing List (http://www.php.net/)
>>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>>> For additional commands, e-mail: [EMAIL PROTECTED]
>>> To contact the list administrators, e-mail: [EMAIL PROTECTED]
>>>
>>
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
