[nycphp-talk] Phundamentals Title Change: Email Header Injection
Hans Zaunere
lists at zaunere.com
Wed Sep 21 09:28:29 EDT 2005
Chris Shiflett wrote on Sunday, September 18, 2005 3:35 PM:
> Jeff Siegel wrote:
> > See: http://www.nyphp.org/phundamentals/email_header_injection.php
>
> I recommend that we change:
>
> "All PHP scripts which send email based on input data are vulnerable."
>
> to:
>
> "All PHP scripts which send email based on tainted data are
> vulnerable."
>
> or:
>
> "All PHP scripts which send email based on input data might be
> vulnerable."
>
> It might be better to reword it some other way, but it's false as
> written.
Or better yet:
All PHP scripts which use external data as any part of a constructed email
header, such as when a form accepts data that will populate a To:, From: or
Subject: header field, may be vulnerable.
H
More information about the talk
mailing list