[Mimedefang] OT: Email web form exploits
James Ebright
jebright at esisnet.com
Thu Sep 8 21:07:45 EDT 2005
Well, it has been quite some time since I have done any serious web
development (and the platform back then was netscapes enterprise server on
solaris 2.52), but...
Pull the referrer from the web server environment, not javascript or anything
else client side, in fact, if you are that paranoid it might have been faked
(and I have clients that I swear wear foil headgear ;-) ) then you could
check, set and check for a session cookie, etc.. alot of ways to track that
when you control the web server in question and deny anything fishy.
Nothing is 100% but you can make it difficult enough or unlikely enough that
they will go look for easier targets... Our experience was that simply
checking the webserver env URI referrer variable was often good enough in this
scenario.
Jim
On Thu, 08 Sep 2005 20:47:47 -0400, David F. Skoll wrote
> Referrer can be faked. You can't trust any data supplied by the client.
>
> Also, people who use privoxy or the like to suppress the referrer field
> would get quite annoyed.
>
> > would force the spammer to hit a valid URI to get the link to the webform
>
> :-) Ah, the perils of trusting the client.
>
> Regards,
>
> David.
--
EsisNet.com Webmail Client
More information about the MIMEDefang
mailing list