And I note that the .67 machine alias "prop.hfradio.org" includes a
comments page. That script could be vulnerable if updates to the OS
are not fully installed.
I've done quite a bit of buttoning up, here. I'll take a closer look at
this, too.
Maybe this is obvious, but from experience, make sure that any script input
that gets put into an email header field is rigorously sanitized. I strip
out anything that appears after a newline character, then pass email
addresses (or what should be email addresses) through a validator (a simple
regex is fine, but to be more rigorous you can check the right-hand part for
a matching MX or A record).
- Re: Via HTTP?? Mike Jackson
-
