[Mimedefang] OT: Email web form exploits
Chris Gauch
cgauch at digicon.net
Wed Sep 7 11:09:12 EDT 2005
> WBrown at e1b.org wrote:
>
> > Isn't that called input validation and something that should be done
> > anyways?
>
> True. But some input validation is a bit aggressive. How many broken
> Web forms out there don't permit "+" in an e-mail address? And my
> colleague, Dave O'Neill, can tell lots of horror stories about how his
> name is mangled by aggressive-but-incorrect SQL-injection
> countermeasures. :-(
>
> Regards,
>
> David.
It's not only that, try going through several dozen client-developed web
forms and adding form validation to ALL of them. Additionally, who's to say
that the "kiddie script-writer" will continue to use email addresses in all
the form fields (what if they just fill all the fields with "sksdljsdfljsl"
and send them repeatedly)? Even if their intentions aren't being met, they
are certainly causing headaches, getting clients angry with their
ISP/hosting company -- just a nuisance and waste of time I guess.
- Chris
------------------------------------------
Chris Gauch
Systems Administrator
Digicon Communications, Inc.
http://www.digiconcommunications.com
cgauch at digicon.net
More information about the MIMEDefang
mailing list