Re: XSS via curl

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Sandy Keathley wrote:
My company uses a home-grown formmail script for clients
<groan>, and someone is using curl to inject HTTP headers
and spam email addresses, and turn it into an open relay.
Yes, I know the right answer is to not use a formmail,
but I don't make the rules here.

Is there a way to detect that a script is being accessed
by curl, and not by a browser?

It sounds like you have a PHP script with a security vulnerability, and you think that restricting what the client uses to request the script is going to fix it. This is not a good approach. Just fix the problem. :-)

For example, filter the data you receive from the client before passing it as arguments to the mail() function.

Hope that helps.

Chris

--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux