smtp.sendmail security

Discussion in 'Ruby' started by John W. Long, Jul 28, 2003.

  1. John W. Long

    John W. Long Guest

    We are using the following code to send email messages from an online form
    on our web site:

    Net::SMTP.start('localhost', 25) {|smtp|
    smtp.sendmail(message, @from, @to)
    }

    The values of @from and @to are taken directly from their cgi.params values
    with basically no modification. Is it possible for someone to exploite this
    as a security vulnerability? Could someone use it to send email to multiple
    addresses?

    --
    John Long
    http://www.wiseheartdesign.com
     
    John W. Long, Jul 28, 2003
    #1
    1. Advertisements

  2. Hi,

    In message "smtp.sendmail security"
    on 03/07/29, "John W. Long" <> writes:
    |
    |We are using the following code to send email messages from an online form
    |on our web site:
    |
    | Net::SMTP.start('localhost', 25) {|smtp|
    | smtp.sendmail(message, @from, @to)
    | }
    |
    |The values of @from and @to are taken directly from their cgi.params values
    |with basically no modification. Is it possible for someone to exploite this
    |as a security vulnerability? Could someone use it to send email to multiple
    |addresses?

    Check will be added. Thank you.

    matz.
     
    Yukihiro Matsumoto, Jul 29, 2003
    #2
    1. Advertisements

  3. John W. Long

    Chris Morris Guest

    Yukihiro Matsumoto wrote:

    >|We are using the following code to send email messages from an online form
    >|on our web site:
    >|
    >| Net::SMTP.start('localhost', 25) {|smtp|
    >| smtp.sendmail(message, @from, @to)
    >| }
    >|
    >|The values of @from and @to are taken directly from their cgi.params values
    >|with basically no modification. Is it possible for someone to exploite this
    >|as a security vulnerability? Could someone use it to send email to multiple
    >|addresses?
    >
    >Check will be added. Thank you.
    >

    Can you elaborate on what this addition will do? I frequently use
    smtp.sendmail with multiple 'to' addresses.

    --

    Chris
    http://clabs.org/blogki
     
    Chris Morris, Jul 29, 2003
    #3
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Hmmm...
    Replies:
    4
    Views:
    2,378
    ChrisO
    Sep 6, 2004
  2. peterson
    Replies:
    0
    Views:
    834
    peterson
    Dec 30, 2003
  3. Karl Ehr
    Replies:
    2
    Views:
    2,413
    Karl Ehr
    Aug 5, 2004
  4. sugapablo
    Replies:
    0
    Views:
    2,478
    sugapablo
    Sep 21, 2007
  5. Andrzej Adam Filip
    Replies:
    0
    Views:
    4,496
    Andrzej Adam Filip
    Mar 31, 2008
  6. John W. Long
    Replies:
    3
    Views:
    310
    Hugh Sasse Staff Elec Eng
    Aug 26, 2003
  7. Sandy
    Replies:
    0
    Views:
    302
    Sandy
    Oct 20, 2008
  8. Hmmm...

    Formmail.pl - Sendmail vs. Smtp

    Hmmm..., Aug 23, 2004, in forum: Perl Misc
    Replies:
    5
    Views:
    274
    ChrisO
    Sep 6, 2004
Loading...