Fw: Matt Wright's FormMail.pl

by "Paul Roberts" <hwg(at)roberts200025.freeserve.co.uk>

 Date:  Mon, 16 Jun 2003 23:34:15 +0100
 To:  "\"HWG\"" <hwg-techniques(at)mail.hwg.org>
  todo: View Thread, Original
----- Original Message -----=20
From: "cbirds" <cbirds(at)earthlink.net>
To: "Collette McNeill" <collette(at)mlwebworks.com>; "HWG" =
<hwg-techniques(at)mail.hwg.org>
Sent: Monday, June 16, 2003 6:44 PM
Subject: Re: Matt Wright's FormMail.pl

>This can be fixed by adding something to the referrers array so that =
only=20
>the specified recipients can get the form bounceback.

Absolutely nothing that comes via the browser can be trusted, i could =
add the referrer as part of a get string in the url or via a form field.
 <input type=3D"hidden" name=3D"HTTP_REFERER" value=3D"domain.com">

having the recipient in the form is also vulnerable, i just need to save =
the form and edit it a little changing=20
<input type=3D"hidden" value=3D"Mamie(at)TheProgressCenter.com, $email" =
name=3D"recipient">=20
to
<input type=3D"text" value=3D"" name=3D"recipient">=20
and then put a list of emails separated by commas and i have a spam =
machine.

please set=20
$recipient =3D "Mamie(at)TheProgressCenter.com";=20
in the perl where it's safe from tampering.

your options are also vulnerable, not hard to change the values to =
something nasty or make them text boxes as well so i can fill them in =
and they get emailed as part of my message
 i.e.=20
<input type=3D"checkbox" value=3D"for a great web experience visit =
http://www.w3.org." name=3D"2">=20
<input type=3D"text" value=3D"for a great web experience visit =
http://www.w3.org." name=3D"2">
better to pass them as numbers and then set them in the script server =
side, i can also change the emails subject the same way.

i'd get rid of these fields to remove your validation.

 <input type=3D"hidden" value=3D"email,realname" name=3D"required">=20
 <input type=3D"hidden" value=3D"email,realname,1,2,3,4" name=3D"sort">
<input type=3D"hidden" =
value=3D"REMOTE_HOST,REMOTE_ADDR,REMOTE_USER,HTTP_USER_AGENT,HTTP_REFERER=
" name=3D"env_report">=20
               =20
I'd say less than 1/4hr and this can be sending 1000's of spam emails =
all traceable back to you.

not good, but you get what you pay for.

Best Wishes

Paul Roberts
mail at Paul-Roberts dot com

HWG hwg-techniques mailing list archives, maintained by Webmasters @ IWA