> The referrer is just as easy to fake for someone wanting to exploit an > open relay as the hidden fields are.
For anyone whose heard of defcon, the year before last they had a presentation devoted to hacking web forms and they said everything John and Roland are saying, and in fact demonstrated how to do it all step by step (faking referer, messing with hidden input fields etc) so heed their words if you want security because these tips apply to all parts of your application, not just for how to not be an open relay. On Tue, 08 Mar 2005 10:37:37 -0600, John McGowan <[EMAIL PROTECTED]> wrote: > The referrer is just as easy to fake for someone wanting to exploit an > open relay as the hidden fields are. > > /John > > Jason Pamental wrote: > > > Roland makes some very important points. You might be able to address > > it though by adding a check in the form processing taf that looks at > > the referring URL and compares it to a list (one form mailer and you > > keep a list in a text file next to the taf that you can update with > > the sites you want to allow to use it). You could use <@cgiparam > > name=referrer> to get the site or if it's known, the IP address. If > > the list is external to the taf, you could update it pretty easily > > without having to open and resave the taf. since no-one would have > > access to the taf directory directly, they'd never know the list was > > there. > > > > Jason > > -- > > > > On Mar 7, 2005, at 8:07 PM, Roland Dumas wrote: > > > >> > >> In fact, I just sent a couple of messages through your form handler to > >> arbitrary (my) addresses from bogus senders with arbitrary content. > >> You are, > >> in effect, an open relay. > >> > >> You can have no fewer than 2 tafs to do this without causing yourself > >> headaches: > >> > >> 1. Arbitrary content, constrained recipients > >> 2. Arbitrary recipients, constrained content > >> > >> And you can't constrain by placing things in hidden fields. They're not > >> hidden and quite accessible. > >> > >> > >> F'rinstance: > >> > >> The #1 case: > >> > >> You can allow the form designer lots of latitude to create fields, > >> as long > >> as at least one is constrained to a selection list, say the subject. > >> If the > >> subject list is maybe 10 items, then your taf can direct it to the > >> appropriate recipient based on the subject. The recipient is both truly > >> hidden and constrained. (you can make this recipient selection logic > >> complex, if that's to your liking.) > >> > >> (You'd have to pull out all the ARGs and their values to place in > >> the email > >> message, and you're ok.) > >> > >> The #2 Case: > >> > >> A form on a web page that says "send me to your friends". Sender > >> puts in > >> his/her own sender email, recipient's, a message, and off it goes. > >> The taf > >> then generates a copy of that page with the sender's comments and > >> sends to > >> the recipient. That has little value to a hijacker, because your > >> content is > >> filling up the page. > >> > >> Moral: All Purpose = All Headache > >> > >> On 3/7/05 4:18 PM, "Robert Shubert" <[EMAIL PROTECTED]> wrote: > >> > >>> I would be willing to share mine if you would like. It has some > >>> semi-advanced features. I'm not certain how I would release it, but > >>> that's open for discussion. I wouldn't charge for it. You can see what > >>> it does here: > >>> > >>> http://www.tronics.net/formhandler.taf?_function=help > >>> > >>> Feel free to try it out. > >>> > >>> Robert > >>> > >>> On Mar 7, 2005, at 5:54 PM, Fogelson, Steve wrote: > >>> > >>>> Has anyone written a all purpose general taf that would accept > >>>> arguments > >>>> from a form and would send them to the specified email address > >>>> similar > >>>> to > >>>> the script available as freeware. Probably need a return url to > >>>> execute when > >>>> finished. > >>>> > >>>> IE: a "contact us", etc form > >>>> > >>>> I would like to avoid using a script and use Witango instead. I can > >>>> probably > >>>> write one, but just checking to see if anyone has one to share. > >>>> > >>>> Thanks > >>>> > >>>> Steve Fogelson > >>>> Internet Commerce Solutions > >>>> _____________________________________________________________________ > >>>> __ > >>>> _ > >>>> TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf > >>> > >>> > >>> ______________________________________________________________________ > >>> __ > >>> TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf > >>> > >> > >> > >> ----------------------------------------- > >> Roland Dumas > >> Roberts Information Services > >> 310 W. Bellevue Avenue > >> San Mateo CA 94402 > >> 650-347-1373 > >> 415-412-9300 (cell) > >> [EMAIL PROTECTED] > >> SMS: http://new.servqual.com/html/sms.tml > >> > >> > >> _______________________________________________________________________ > >> _ > >> TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf > >> > > > > ________________________________________________________________________ > > TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf > > > ________________________________________________________________________ > TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf > ________________________________________________________________________ TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
