in reply to SprintPCS camera phone to Perlmonks Monkpics

I like to see bridging scripts of all sorts -- they're fun, so ++.

However, in this case -- isn't it possible to forge the email headers, making the message appear to be from a user, and thereby helpfully changing that user's monk picture to an attachment of the sender's choice?

I haven't tried this with the email address you list in your procmail recipe, but you might want to change it in case it's the one you were intending to use.

(I suppose you could have other procmail recipes in place that try and filter out instances of messages with forged headers...but if that's the case perhaps you should include a caveat to other users)

Cheers,
Matt

  • Comment on Re: SprintPCS camera phone to Perlmonks Monkpics

Replies are listed 'Best First'.
Re^2: SprintPCS camera phone to Perlmonks Monkpics
by diotalevi (Canon) on Jun 04, 2004 at 03:34 UTC
    I thought about this a bit initially and while I thought that there wasn't a hole because the URI has to be on http://pictures.sprintpcs.com/, it turns out that there is. Anyone else that is capable of creating a picture share on pictures.sprintpcs.com is capable of publishing to users using this script. Foo. I'm looking to see if there is a way to tie the fetched web site with the user.
[reply]
      Hmmm, initially I thought that the photo was actually in the attachment, rather than the attachment being a URL pointing to the sprintpcs site. So it's not totally wide open like I thought, but as you said, can be manipulated if you can upload zaps to the sprint share site.

      At the very least, you could track who was doing what. :)

      Matt

[reply]
        The script is now updated so it attempts to verify that the picture was posted from the correct address and that the invitation was mailed to the correct address. This should close the loop so that other SprintPCS users are not able to post a picture share and then get other users to use it as if it were their own.
[reply]

In Section Code Catacombs