FLORA Community WEB:
 Who we are   Organizations   Get Involved!   Helpdesk 
 Weblog   About FLORA   Server project   F.A.Q. 

Election 2006 (and beyond): Digital Copyright Canada

The FLORA Help Desk

Read: [next] [previous] message

[Flora-help] [Fwd: Flaw in PHP scripts abused to send SPAM -- please check scripts...]

From: Russell McOrmond <russell_-at-_flora.ca>
To: "FLORA.org helpdesk" <flora-help_-at-_list.flora.org>
Date: Sun, 12 Feb 2006 22:10:09 -0500

   If any FLORA.org people have PHP scripts they should check them for 
this problem.  If you aren't certain what this is about, and possibly 
have a PHP form that sends email, then please ask here for details.

   Unlike the AOL problem this is a situation where SPAM is being 
generated by our servers because of bugs in PHP scripts.

-------- Original Message --------
Subject: Flaw in PHP scripts abused to send SPAM -- please check scripts...
Date: Sun, 12 Feb 2006 22:02:06 -0500
From: Russell McOrmond <russell@flora.ca>
To: Status List <status@list.flora.ca>


   The SPAM companies have found a way to abuse broken PHP scripts to
send their SPAM.  The mail() function takes parameters which need to be
checked for return or other invalid characters if they come from (or are
built from) external variables (Post/get/etc).

http://ca3.php.net/manual/en/ref.mail.php

   You *must* assume that any information received from the network is
suspect and check for things such as this.  It doesn't matter what
limits you put on your forms (silly Javascript bounds checking) as they
don't need to use your forms in order to submit data to your PHP scripts.


   I have disabled the mail() function on a number of virtual servers
that had broken scripts by changing the sendmail config as follows:

php_admin_value sendmail_path "/bin/true"


-- 
  Russell McOrmond, Internet Consultant: <http://www.flora.ca/>
  2415+ Canadians oppose Bill C-60 which protects antiquated Recording,
  Movie and "software manufacturing" industries from modernization.
  http://KillBillC60.ca    Sign--> http://digital-copyright.ca/petition/
_______________________________________________
Status mailing list
Status@list.flora.ca
http://list.flora.ca/mailman/listinfo/status

-- 
  Russell McOrmond, Internet Consultant: <http://www.flora.ca/>
  2415+ Canadians oppose Bill C-60 which protects antiquated Recording,
  Movie and "software manufacturing" industries from modernization.
  http://KillBillC60.ca    Sign--> http://digital-copyright.ca/petition/
_______________________________________________
Flora-help mailing list
Flora-help@list.flora.org
http://list.flora.org/mailman/listinfo/flora-help
Read: [next] [previous] message
List: [newer] [older] articles
Please read the FLORA.org Terms and Conditions before you submit information to FLORA.org
Join the Blue Ribbon Online Free Speech Campaign
(USA) (Canada) 		FLORA Community Web (FLORA.ORG) is sponsored by FLORA Community Consulting (FLORA.CA).