Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:11313
HistoryFeb 07, 2006 - 12:00 a.m.

mailback script exploit

2006-02-0700:00:00
vulners.com
8
JSON

There is a mailback perl cgi script that has been in use for years,
originally written by Erik C. Thauvin, which has some serious
sercurity holes in it. One that is currently being exploited is that
the contents of the subject pass to the script from the form are not
sanitized before being passed to the SMTP server.

Spammers are setting the subject to be their message, complete with
bcc list of addresses and it is passed to the server and accepted.
Phillip Moore
My advice is to not use any type of generic mailback script – all
headers should come from hard-coded values in the script, not fields
passed from the form.

.cp

JSON