[nycphp-talk] Phundamentals Title Change: Email Header Injection
David Mintz
dmintz at davidmintz.org
Fri Sep 23 12:34:37 EDT 2005
On Fri, 23 Sep 2005, Hans Zaunere wrote:
>
> However for this particular exploit, it's easy to prevent. It's simply not
> possible for this exploit to work without the Content-Type: string.
> Searched for, in a case-insensitive manner, across all submitted form
> fields, will detect and thrawt this exploit immediately.
>
Yes, and I gratefully borrowed your snippet to tighten up a couple of my
own scripts. The only conceivable drawback is that if user input is
destined to become the message body -- a textarea for the user
to type a message -- and for some reason the user legitimately wants to
say something like "Have you guys heard about the Content-type:
attack?" Granted, it's unusual, but still... Kind of like the caveat
against training Spamassassin with ham that discusses spam.
---
David Mintz
http://davidmintz.org/
More information about the talk
mailing list