[nycphp-talk] worm/virus's hammering feedback scripts?
Billy Reisinger
mail at billyreisinger.com
Mon Sep 12 14:38:23 EDT 2005
This eregi() is a good start - but like I said in a previous post, ALL
variables should be checked this way, including subject and message!
The cruel nature of this hack is that it works anywhere in the mail()
function.
Cheers,
Billy Reisinger
Daniel Convissor wrote:
>Hi Michael:
>
>On Mon, Sep 12, 2005 at 12:41:12PM -0400, Michael Southwell wrote:
>
>
>>At 12:20 PM 9/12/2005, you wrote:
>>
>>
>>
>>>A list of addresses is the wrong approach. The email addresses are
>>>variable and easy to change. More importantly, the content is the issue,
>>>not the email address.
>>>
>>>
>>The point is simply to identify which scripts have sent emails to the
>>known-bad addresses; those are the vulnerable ones.
>>
>>
>
>I'm afraid that will lead people into both a false sense of security and
>using email address blacklists. Folks should audit their email scripts,
>period.
>
>
>
>
>>There were other problems as well, which I noted in my polished
>>version. We need an officially sanctioned version of the function
>>before we can post anything.
>>
>>
>
>Agreed. Here's what I think is a good starting point for discussion...
>
><?php
>// untested!!!!
>// MUST do is_set() checks on all of these for first!
>// left out for brevity.
>
>if (eregi('^[a-z0-9_.=+-]+@([a-z0-9-]+\.)+([a-z]{2,6})$', $_POST['address'])) {
> $address = $_POST['address'];
>} else {
> echo 'bad email';
> exit;
>}
>
>$name = eregi_replace("[^a-z .'-]", $_POST['name']);
>$subject = eregi_replace("[^a-z .'-]", $_POST['subject']);
>$message = htmlspecialchars($_POST['message']);
>
>@mail('me at example.com', $subject, $message, "From: $name <$address>");
>?>
>
>--Dan
>
>
>
More information about the talk
mailing list