Doug Traylor wrote: > Sorry I miss-read the above line and though it was related to the from and > reply-to not the from and recipient. Since this particular exploit uses the > "To" field to pass the code, ASSP's standard recipient validation should > take care of this without having to do anything in the bombHeaderRe right > because the MTA is not involved yet right?
I would expect that to be the case. But then again, what if they use a real address as the first recipient? The RCPT command can be used multiple times within the same SMTP session. ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Assp-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-user
