smtp.sendmail security

Discussion in 'Ruby' started by John W. Long, Jul 28, 2003.

  1. John W. Long

    John W. Long Guest

    We are using the following code to send email messages from an online form
    on our web site:

    Net::SMTP.start('localhost', 25) {|smtp|
    smtp.sendmail(message, @from, @to)
    }

    The values of @from and @to are taken directly from their cgi.params values
    with basically no modification. Is it possible for someone to exploite this
    as a security vulnerability? Could someone use it to send email to multiple
    addresses?

    --
    John Long
    http://www.wiseheartdesign.com
    John W. Long, Jul 28, 2003
    #1
    1. Advertising

  2. Hi,

    In message "smtp.sendmail security"
    on 03/07/29, "John W. Long" <> writes:
    |
    |We are using the following code to send email messages from an online form
    |on our web site:
    |
    | Net::SMTP.start('localhost', 25) {|smtp|
    | smtp.sendmail(message, @from, @to)
    | }
    |
    |The values of @from and @to are taken directly from their cgi.params values
    |with basically no modification. Is it possible for someone to exploite this
    |as a security vulnerability? Could someone use it to send email to multiple
    |addresses?

    Check will be added. Thank you.

    matz.
    Yukihiro Matsumoto, Jul 29, 2003
    #2
    1. Advertising

  3. John W. Long

    Chris Morris Guest

    Yukihiro Matsumoto wrote:

    >|We are using the following code to send email messages from an online form
    >|on our web site:
    >|
    >| Net::SMTP.start('localhost', 25) {|smtp|
    >| smtp.sendmail(message, @from, @to)
    >| }
    >|
    >|The values of @from and @to are taken directly from their cgi.params values
    >|with basically no modification. Is it possible for someone to exploite this
    >|as a security vulnerability? Could someone use it to send email to multiple
    >|addresses?
    >
    >Check will be added. Thank you.
    >

    Can you elaborate on what this addition will do? I frequently use
    smtp.sendmail with multiple 'to' addresses.

    --

    Chris
    http://clabs.org/blogki
    Chris Morris, Jul 29, 2003
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Hmmm...
    Replies:
    4
    Views:
    2,090
    ChrisO
    Sep 6, 2004
  2. peterson
    Replies:
    0
    Views:
    703
    peterson
    Dec 30, 2003
  3. sugapablo
    Replies:
    0
    Views:
    2,141
    sugapablo
    Sep 21, 2007
  4. Andrzej Adam Filip
    Replies:
    0
    Views:
    4,061
    Andrzej Adam Filip
    Mar 31, 2008
  5. John W. Long
    Replies:
    3
    Views:
    118
    Hugh Sasse Staff Elec Eng
    Aug 26, 2003
Loading...

Share This Page