The referrer is just as easy to fake for someone wanting to exploit an
open relay as the hidden fields are.
/John
Jason Pamental wrote:
Roland makes some very important points. You might be able to address
it though by adding a check in the form processing taf that looks at
the referring URL and compares it to a list (one form mailer and you
keep a list in a text file next to the taf that you can update with
the sites you want to allow to use it). You could use <@cgiparam
name=referrer> to get the site or if it's known, the IP address. If
the list is external to the taf, you could update it pretty easily
without having to open and resave the taf. since no-one would have
access to the taf directory directly, they'd never know the list was
there.
Jason
--
On Mar 7, 2005, at 8:07 PM, Roland Dumas wrote:
In fact, I just sent a couple of messages through your form handler to
arbitrary (my) addresses from bogus senders with arbitrary content.
You are,
in effect, an open relay.
You can have no fewer than 2 tafs to do this without causing yourself
headaches:
1. Arbitrary content, constrained recipients
2. Arbitrary recipients, constrained content
And you can't constrain by placing things in hidden fields. They're not
hidden and quite accessible.
F'rinstance:
The #1 case:
You can allow the form designer lots of latitude to create fields,
as long
as at least one is constrained to a selection list, say the subject.
If the
subject list is maybe 10 items, then your taf can direct it to the
appropriate recipient based on the subject. The recipient is both truly
hidden and constrained. (you can make this recipient selection logic
complex, if that's to your liking.)
(You'd have to pull out all the ARGs and their values to place in
the email
message, and you're ok.)
The #2 Case:
A form on a web page that says "send me to your friends". Sender
puts in
his/her own sender email, recipient's, a message, and off it goes.
The taf
then generates a copy of that page with the sender's comments and
sends to
the recipient. That has little value to a hijacker, because your
content is
filling up the page.
Moral: All Purpose = All Headache
On 3/7/05 4:18 PM, "Robert Shubert" <[EMAIL PROTECTED]> wrote:
I would be willing to share mine if you would like. It has some
semi-advanced features. I'm not certain how I would release it, but
that's open for discussion. I wouldn't charge for it. You can see what
it does here:
http://www.tronics.net/formhandler.taf?_function=help
Feel free to try it out.
Robert
On Mar 7, 2005, at 5:54 PM, Fogelson, Steve wrote:
Has anyone written a all purpose general taf that would accept
arguments
from a form and would send them to the specified email address
similar
to
the script available as freeware. Probably need a return url to
execute when
finished.
IE: a "contact us", etc form
I would like to avoid using a script and use Witango instead. I can
probably
write one, but just checking to see if anyone has one to share.
Thanks
Steve Fogelson
Internet Commerce Solutions
_____________________________________________________________________
__
_
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
______________________________________________________________________
__
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
-----------------------------------------
Roland Dumas
Roberts Information Services
310 W. Bellevue Avenue
San Mateo CA 94402
650-347-1373
415-412-9300 (cell)
[EMAIL PROTECTED]
SMS: http://new.servqual.com/html/sms.tml
_______________________________________________________________________
_
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
________________________________________________________________________
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
________________________________________________________________________
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
