smtp.sendmail security

[John W. Long]

We are using the following code to send email messages from an online form
on our web site:

Net::SMTP.start('localhost', 25) {|smtp|
smtp.sendmail(message, @from, @to)
}

The values of @from and @to are taken directly from their cgi.params values
with basically no modification. Is it possible for someone to exploite this
as a security vulnerability? Could someone use it to send email to multiple
addresses?

 

[Yukihiro Matsumoto]

Hi,

In message "smtp.sendmail security"
|
|We are using the following code to send email messages from an online form
|on our web site:
|
| Net::SMTP.start('localhost', 25) {|smtp|
| smtp.sendmail(message, @from, @to)
| }
|
|The values of @from and @to are taken directly from their cgi.params values
|with basically no modification. Is it possible for someone to exploite this
|as a security vulnerability? Could someone use it to send email to multiple
|addresses?

Check will be added. Thank you.

matz.

 

[Chris Morris]

|We are using the following code to send email messages from an online form
|on our web site:
|
| Net::SMTP.start('localhost', 25) {|smtp|
| smtp.sendmail(message, @from, @to)
| }
|
|The values of @from and @to are taken directly from their cgi.params values
|with basically no modification. Is it possible for someone to exploite this
|as a security vulnerability? Could someone use it to send email to multiple
|addresses?

Check will be added. Thank you.

Can you elaborate on what this addition will do? I frequently use
smtp.sendmail with multiple 'to' addresses.