[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OK, .. this one's a stumper.



Wouldn't one mailer for each domain allow you to tighten security to what
you want?  

-----Original Message-----
From: silug-discuss-owner@silug.org [mailto:silug-discuss-owner@silug.org]
On Behalf Of L. V. Lammert
Sent: Friday, January 27, 2006 9:58 AM
To: discuss@silug.org
Subject: OK, .. this one's a stumper.

Everyone knows mailer scripts are a security hole, .. historically, they 
are restricted by referer URL & recipient address patterns. Recipient works 
pretty well, as the only allowed output email address can be tightly 
controlled.

Unfortunately, it seems like there some of the script kiddies have found 
ways to get around the referer URL - i.e. By posting the form directly to 
the form mailer, they are apparently also forging the environment variables 
to satisfy the referer check. I tried changing from referer URL to matching 
the server address, .. but it DNW either. (Obviously, the first action was 
to delete the calling document so it cannot be invoked in any form on the 
server.)

Is anyone aware of a more secure way to valdate the source document other 
than referer URL or server address? Or is there a way to secure the mailer 
itself (callable from a number of domains)?

	Thanks!

	Lee


-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.

-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.