Actually, if you use telnet you can write your own headers and say
you've been refered by whoever you want to say you were refered by and
then use the script anyway, because you'll just say you came from
someplace where they have a form. This script is very bad. I submitted
an update to the archive which adds an additional constraint to it by
allowing users to only send to certain domains or only certain
addresses, but I never received word back so I had assumed that the site
was not very actively maintained.
Any script you write that allows a user to sendmail should ALWAYS CHECK
THE RECIPIENT to make sure it's not just anyone. I've quit using that
script in favor of my PHP script that just translates keys given in the
form into real addresses so that the formmail doesn't even really get
the ability to send to just anyone.
Sterling
PS - If you or anyone else is interested in the script, I can send it to
them. (If I get a lot of requests I just post it on my web site since
Matt's Script Archive never posted my update.)
Thomas Deliduka wrote:
> This is a classic case of someone not having formmail.pl from Matt's Script
> archive locked down.
>
> I found it very interesting that while Matt's Script Archive is setup to
> block you from using someone else's form as a referer to yours to prevent
> the use of your script from another server, he simply allows you through if
> you have no referer at all. And that's how someone used our server several
> times about 6 months ago. If you format a perfect querystring and simply hit
> enter on the browser, you can successfully send many people e-mail through
> formmail.pl if it's not modified to block 'no referer' references.
>
> On 7/26/2001 8:29 PM this was written:
>
>
>>Below is the result of your feedback form. It was submitted by
>>([EMAIL PROTECTED]) on Thursday, July 26, 2001 at 20:29:47
>>---------------------------------------------------------------------------
>>
>>: Join for free Today.
>>Free Memberships. No Credit Cards Needed.
>>HUGE Celebrity selection from Jennifer Lopez to Britney Spears.
>>Also Specializing Streaming Video, Live sex shows for every desire!
>>This isn't one of those crummy scams where you have touse a credit card!
>>Take a look and you'll see.
>><a href="aol://2000:http://coverme1.devil.ru";>Enter Here</a>
>>
>>
>><BR><BR><BR><BR><BR><BR><BR>
>>
>>You recived this email because you subscribed to a mailing list. If you would
>>like to be removed from this mailing list please <a
>>href="mailto:[EMAIL PROTECTED]";>Click Here!</a><BR><BR><BR><BR><BR><BR><BR>
>>
>>---------------------------------------------------------------------------
>>
>>
>>--
>>PHP General Mailing List (http://www.php.net/)
>>To unsubscribe, e-mail: [EMAIL PROTECTED]
>>For additional commands, e-mail: [EMAIL PROTECTED]
>>To contact the list administrators, e-mail: [EMAIL PROTECTED]
>>
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
