On Thu, 2006-01-19 at 22:48 -0500, Daniel Davenport wrote: > > Also keep in mind, any form mailer that has the "To" address in a CGI > field is by its very nature prone to abuse. The destination address > should _never_ be directly settable by the user; if you must make the > address selectable, at least check it against a short list of allowed > recipients. > > For reference....just because the field is hidden in a form, that > doesn't mean that it can't be set at will by a hacker or by a bot > designed to abuse email-us pages. If you already know who the email > will go to, it's better to set the address as a scratch variable -- or > even hard-code it into the page -- than to allow Joe User the chance to > hijack your contact form. > > I haven't seen the form in question, so this is all just a cautionary > note. I've just seen way too many form mailers and contact pages that > had similar weaknesses. > > -- > Daniel Davenport > New Age Digital > http://www.newagedigital.com Thanks so much EVERYBODY for helping with this, I'm pretty sure that I have it fixed! (fingers xed) and again I sincerely apologize if any of your were hit with spam from my server. As it turns out I'm fairly certain that it was not IC at all, but a PHP contact form! (I will no longer host postnuke sites, only IC or static html!) Anyway, I think it is in line that I submit to a jury of my peers (IC List -- even though I am only a glorified newbe) as to what my sentence should be for being a bad host! Community service? Adopt a website? Free hosting for some time to a non-profit? I await your verdict... :) Thanks ICDevGroup and List Users! Rick _______________________________________________ interchange-users mailing list suppressed http://www.icdevgroup.org/mailman/listinfo/interchange-users
Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.