Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl: the Markov chain saw
 
PerlMonks  

Re^2: Securing mailing scripts

by sulfericacid (Deacon)
on Sep 15, 2005 at 15:17 UTC ( [id://492277]=note: print w/replies, xml ) Need Help??


in reply to Re: Securing mailing scripts
in thread Securing mailing scripts

This is a fixed script. Imagine that the only fields YOU as the USER can set are EMAIL, SUBJECT and MESSAGE. These are all the text fields on the form side that you are able to set.

The TO: section is hard coded into the script. This is just a contact form to request more information. I'm just looking for the best ways to secure it. I'd use SSL but unfortunately I can't afford it right now.

Thank you.



"Age is nothing more than an inaccurate number bestowed upon us at birth as just another means for others to judge and classify us"

sulfericacid

Replies are listed 'Best First'.
Re^3: Securing mailing scripts
by phaylon (Curate) on Sep 15, 2005 at 15:43 UTC
    How would SSL help you? That would only secure what people want to send your script.

    If you don't allow the "To:" to be set by the visitor that's making it a bit easier :) Just don't send a copy to the address the visitor states to use in the "From:", as this could be misused too.

    A few other ideas:
    • You might want to use a "(un)check this option to prove you're not a script"-checkbox. This at least knocks out the poorly written scripts.
    • Check all fields strictly. Think about the possibilities for an attacker if he finds out he can add newlines to the header section of the generated mails ;)
    • If you use other people's scripts, check the code.

    This is by all means definitely absolutely not complete.
    Ordinary morality is for ordinary people. -- Aleister Crowley
[reply]
Re^3: Securing mailing scripts
by Ultra (Hermit) on Sep 15, 2005 at 20:11 UTC

    In your original post you said you're filtering "To"; now you say "To:" is hardcoded.

    For preventing mass mailing you may generate pictures on the fly and ask the "USER" to complete a field of the form with the content of the picture (text or number)

    There's no point in using SSL unless you want to protect the contents of the message or you are using some means of auth (user/pass secret key etc) which I don't think is the case.

    Dodge This!
[reply]

In Section Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://492277]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others making s'mores by the fire in the courtyard of the Monastery: (2)
As of 2024-04-16 20:54 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found