[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

OK, .. this one's a stumper.

To: "discuss@silug.org" <discuss@silug.org>
Subject: OK, .. this one's a stumper.
From: "L. V. Lammert" <lvl@omnitec.net>
Date: Fri, 27 Jan 2006 09:57:31 -0600
Organization: Southern Illinois Linux Users Group
Reply-To: silug-discuss@silug.org
Sender: silug-discuss-owner@silug.org

Everyone knows mailer scripts are a security hole, .. historically, they 
are restricted by referer URL & recipient address patterns. Recipient works 
pretty well, as the only allowed output email address can be tightly 
controlled.

Unfortunately, it seems like there some of the script kiddies have found 
ways to get around the referer URL - i.e. By posting the form directly to 
the form mailer, they are apparently also forging the environment variables 
to satisfy the referer check. I tried changing from referer URL to matching 
the server address, .. but it DNW either. (Obviously, the first action was 
to delete the calling document so it cannot be invoked in any form on the 
server.)

Is anyone aware of a more secure way to valdate the source document other 
than referer URL or server address? Or is there a way to secure the mailer 
itself (callable from a number of domains)?

	Thanks!

	Lee


-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.

Follow-Ups:
- Re: OK, .. this one's a stumper.
  - From: Casey Boone <caseyboone@gmail.com>
- Re: OK, .. this one's a stumper.
  - From: "Brandon" <Jodious33@hotmail.com>

Prev by Date: [OT] Woo Hoo
Next by Date: Re: OK, .. this one's a stumper.
Next by thread: Re: OK, .. this one's a stumper.
Index(es):
- Date
- Thread