Homepage   Open Systems 
 Weblog   What is FLOSS? 

Digital Copyright Canada

 Clients, Associates   Services 
 PDF and other Viewers   Network Status 
Subscribe to receive messages automatically in email.

Flaw in PHP scripts abused to send SPAM -- please check scripts...

From: Russell McOrmond <russell@flora.ca>
Date: Sun, 12 Feb 2006 22:02:06 -0500

   The SPAM companies have found a way to abuse broken PHP scripts to 
send their SPAM.  The mail() function takes parameters which need to be 
checked for return or other invalid characters if they come from (or are 
built from) external variables (Post/get/etc).


   You *must* assume that any information received from the network is 
suspect and check for things such as this.  It doesn't matter what 
limits you put on your forms (silly Javascript bounds checking) as they 
don't need to use your forms in order to submit data to your PHP scripts.

   I have disabled the mail() function on a number of virtual servers 
that had broken scripts by changing the sendmail config as follows:

php_admin_value sendmail_path "/bin/true"

  Russell McOrmond, Internet Consultant: <http://www.flora.ca/>
  2415+ Canadians oppose Bill C-60 which protects antiquated Recording,
  Movie and "software manufacturing" industries from modernization.
  http://KillBillC60.ca    Sign--> http://digital-copyright.ca/petition/
Status mailing list

Read: [next] [previous] message
List: [newer] [older] articles