scotttyz Posted March 2, 2004 Posted March 2, 2004 I posted this as a reply to another message but want to make sure the Dev's see it ASAP The issue I have heard about it that you can include a "\n cc: name@host.com, etc" in the first "form variable" in the email because RFC822 isn't specific about what order the mail headers have to be in, only that the requisite minimum are there. So a spamer could pull the passed variable (form contents) and inlcude a list of cc:........ to your script. IE: (for php) mail ($to$, $subject, $message, $headers) you hard code the to: and headers: fields but the spammer uses the $ subject (or $message) field to pass a: \n cc: name@mail.com;name@mail.com;name@mail.com;name@mail.com; and on in almost any place in your form subbmitted variables. I am working on a php mail script that checks the non hard coded variables for "@" and replaces with "at" That should do it, If I am wrong please poke holes in my theory!!!! Some hosts are already have a big issue with this. Quote
surefire Posted March 2, 2004 Posted March 2, 2004 Thank you for this info. I just tested Ultimate Form Mail Script (one that many TCH members use) and it appears to be safe from this exploit. Quote
mike Posted March 4, 2004 Posted March 4, 2004 3 CHEERS for Ultimate Form Mail Script Rock Sign Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.