[<prev] [next>] [day] [month] [year] [list]
Message-ID: <5ece0d580602050228m27426c73k527473297a18558e@mail.gmail.com>
Date: Sun, 5 Feb 2006 02:28:49 -0800
From: coderpunk <coderpunk@...il.com>
To: bugtraq@...urityfocus.com
Subject: mailback script exploit
There is a mailback perl cgi script that has been in use for years,
originally written by Erik C. Thauvin, which has some serious
sercurity holes in it. One that is currently being exploited is that
the contents of the subject pass to the script from the form are not
sanitized before being passed to the SMTP server.
Spammers are setting the subject to be their message, complete with
bcc list of addresses and it is passed to the server and accepted.
Phillip Moore
My advice is to not use any type of generic mailback script -- all
headers should come from hard-coded values in the script, not fields
passed from the form.
.cp
Powered by blists - more mailing lists