Re: [PHP] Teen Hobos having sex? ..no.. but MAYBE
Matt's Script Archive was just updated a couple days ago and includes a fix similar to mine--I just discovered. Thanks, Sterling Andrew Sterling Hanenkamp wrote: > Actually, if you use telnet you can write your own headers and say > you've been refered by whoever you want to say you were refered by and > then use the script anyway, because you'll just say you came from > someplace where they have a form. This script is very bad. I submitted > an update to the archive which adds an additional constraint to it by > allowing users to only send to certain domains or only certain > addresses, but I never received word back so I had assumed that the site > was not very actively maintained. > > Any script you write that allows a user to sendmail should ALWAYS CHECK > THE RECIPIENT to make sure it's not just anyone. I've quit using that > script in favor of my PHP script that just translates keys given in the > form into real addresses so that the formmail doesn't even really get > the ability to send to just anyone. > > Sterling > > PS - If you or anyone else is interested in the script, I can send it to > them. (If I get a lot of requests I just post it on my web site since > Matt's Script Archive never posted my update.) > > Thomas Deliduka wrote: > >> This is a classic case of someone not having formmail.pl from Matt's >> Script >> archive locked down. >> >> I found it very interesting that while Matt's Script Archive is setup to >> block you from using someone else's form as a referer to yours to prevent >> the use of your script from another server, he simply allows you >> through if >> you have no referer at all. And that's how someone used our server >> several >> times about 6 months ago. If you format a perfect querystring and >> simply hit >> enter on the browser, you can successfully send many people e-mail >> through >> formmail.pl if it's not modified to block 'no referer' references. >> >> On 7/26/2001 8:29 PM this was written: >> >> >>> Below is the result of your feedback form. It was submitted by >>> ([EMAIL PROTECTED]) on Thursday, July 26, 2001 at 20:29:47 >>> --- >>> >>> >>> : Join for free Today. >>> Free Memberships. No Credit Cards Needed. >>> HUGE Celebrity selection from Jennifer Lopez to Britney Spears. >>> Also Specializing Streaming Video, Live sex shows for every desire! >>> This isn't one of those crummy scams where you have touse a credit card! >>> Take a look and you'll see. >>> http://coverme1.devil.ru";>Enter Here >>> >>> >>> >>> >>> You recived this email because you subscribed to a mailing list. If >>> you would >>> like to be removed from this mailing list please >> href="mailto:[EMAIL PROTECTED]";>Click Here! >>> >>> --- >>> >>> >>> >>> -- >>> PHP General Mailing List (http://www.php.net/) >>> To unsubscribe, e-mail: [EMAIL PROTECTED] >>> For additional commands, e-mail: [EMAIL PROTECTED] >>> To contact the list administrators, e-mail: [EMAIL PROTECTED] >>> >> > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Teen Hobos having sex? ..no.. but MAYBE
Actually, if you use telnet you can write your own headers and say you've been refered by whoever you want to say you were refered by and then use the script anyway, because you'll just say you came from someplace where they have a form. This script is very bad. I submitted an update to the archive which adds an additional constraint to it by allowing users to only send to certain domains or only certain addresses, but I never received word back so I had assumed that the site was not very actively maintained. Any script you write that allows a user to sendmail should ALWAYS CHECK THE RECIPIENT to make sure it's not just anyone. I've quit using that script in favor of my PHP script that just translates keys given in the form into real addresses so that the formmail doesn't even really get the ability to send to just anyone. Sterling PS - If you or anyone else is interested in the script, I can send it to them. (If I get a lot of requests I just post it on my web site since Matt's Script Archive never posted my update.) Thomas Deliduka wrote: > This is a classic case of someone not having formmail.pl from Matt's Script > archive locked down. > > I found it very interesting that while Matt's Script Archive is setup to > block you from using someone else's form as a referer to yours to prevent > the use of your script from another server, he simply allows you through if > you have no referer at all. And that's how someone used our server several > times about 6 months ago. If you format a perfect querystring and simply hit > enter on the browser, you can successfully send many people e-mail through > formmail.pl if it's not modified to block 'no referer' references. > > On 7/26/2001 8:29 PM this was written: > > >>Below is the result of your feedback form. It was submitted by >>([EMAIL PROTECTED]) on Thursday, July 26, 2001 at 20:29:47 >>--- >> >>: Join for free Today. >>Free Memberships. No Credit Cards Needed. >>HUGE Celebrity selection from Jennifer Lopez to Britney Spears. >>Also Specializing Streaming Video, Live sex shows for every desire! >>This isn't one of those crummy scams where you have touse a credit card! >>Take a look and you'll see. >>http://coverme1.devil.ru";>Enter Here >> >> >> >> >>You recived this email because you subscribed to a mailing list. If you would >>like to be removed from this mailing list please >href="mailto:[EMAIL PROTECTED]";>Click Here! >> >>--- >> >> >>-- >>PHP General Mailing List (http://www.php.net/) >>To unsubscribe, e-mail: [EMAIL PROTECTED] >>For additional commands, e-mail: [EMAIL PROTECTED] >>To contact the list administrators, e-mail: [EMAIL PROTECTED] >> > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Teen Hobos having sex? ..no.. but MAYBE
This is a classic case of someone not having formmail.pl from Matt's Script archive locked down. I found it very interesting that while Matt's Script Archive is setup to block you from using someone else's form as a referer to yours to prevent the use of your script from another server, he simply allows you through if you have no referer at all. And that's how someone used our server several times about 6 months ago. If you format a perfect querystring and simply hit enter on the browser, you can successfully send many people e-mail through formmail.pl if it's not modified to block 'no referer' references. On 7/26/2001 8:29 PM this was written: > Below is the result of your feedback form. It was submitted by > ([EMAIL PROTECTED]) on Thursday, July 26, 2001 at 20:29:47 > --- > > : Join for free Today. > Free Memberships. No Credit Cards Needed. > HUGE Celebrity selection from Jennifer Lopez to Britney Spears. > Also Specializing Streaming Video, Live sex shows for every desire! > This isn't one of those crummy scams where you have touse a credit card! > Take a look and you'll see. > http://coverme1.devil.ru";>Enter Here > > > > > You recived this email because you subscribed to a mailing list. If you would > like to be removed from this mailing list please href="mailto:[EMAIL PROTECTED]";>Click Here! > > --- > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > To contact the list administrators, e-mail: [EMAIL PROTECTED] -- Thomas Deliduka IT Manager - New Eve Media The Solution To Your Internet Angst http://www.neweve.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]