FLORA Community WEB:
 Who we are   Organizations   Get Involved!   Helpdesk 
 Weblog   About FLORA   Server project   F.A.Q. 

Election 2006 (and beyond): Digital Copyright Canada

The FLORA Help Desk

Read: [next] [previous] message

Re: [Flora-help] [Fwd: Flaw in PHP scripts abused to send SPAM --please check scripts...]

From: Rosaleen Dickson <rosaleen_-at-_flora.org>
To: "FLORA.org helpdesk" <flora-help_-at-_list.flora.org>
Date: Mon, 13 Feb 2006 06:39:57 -0500
References: <43EFF891.70206@flora.ca> 

All this about PHP (below) is beyond my compression.
I could ask, "what is PHP" but I really don't need to know.

I do know that mail is occasionally sent out from "rosaleen@flora.org"
that did not originate from me. This happens very seldom.
The way I know is because I get a message telling me it wasn't sent.
The first time that happened you told me to ignore it.  I did;
and still do.
Cheers,
Rosaleen

Russell McOrmond wrote:
> 
>    If any FLORA.org people have PHP scripts they should check them for
> this problem.  If you aren't certain what this is about, and possibly
> have a PHP form that sends email, then please ask here for details.
> 
>    Unlike the AOL problem this is a situation where SPAM is being
> generated by our servers because of bugs in PHP scripts.
> 
> -------- Original Message --------
> Subject: Flaw in PHP scripts abused to send SPAM -- please check scripts...
> Date: Sun, 12 Feb 2006 22:02:06 -0500
> From: Russell McOrmond <russell@flora.ca>
> To: Status List <status@list.flora.ca>
> 
>    The SPAM companies have found a way to abuse broken PHP scripts to
> send their SPAM.  The mail() function takes parameters which need to be
> checked for return or other invalid characters if they come from (or are
> built from) external variables (Post/get/etc).
> 
> http://ca3.php.net/manual/en/ref.mail.php
> 
>    You *must* assume that any information received from the network is
> suspect and check for things such as this.  It doesn't matter what
> limits you put on your forms (silly Javascript bounds checking) as they
> don't need to use your forms in order to submit data to your PHP scripts.
> 
>    I have disabled the mail() function on a number of virtual servers
> that had broken scripts by changing the sendmail config as follows:
> 
> php_admin_value sendmail_path "/bin/true"
> 
> --
>   Russell McOrmond, Internet Consultant: <http://www.flora.ca/>
>   2415+ Canadians oppose Bill C-60 which protects antiquated Recording,
>   Movie and "software manufacturing" industries from modernization.
>   http://KillBillC60.ca    Sign--> http://digital-copyright.ca/petition/
> _______________________________________________
> Status mailing list
> Status@list.flora.ca
> http://list.flora.ca/mailman/listinfo/status
> 
> --
>   Russell McOrmond, Internet Consultant: <http://www.flora.ca/>
>   2415+ Canadians oppose Bill C-60 which protects antiquated Recording,
>   Movie and "software manufacturing" industries from modernization.
>   http://KillBillC60.ca    Sign--> http://digital-copyright.ca/petition/
> _______________________________________________
> Flora-help mailing list
> Flora-help@list.flora.org
> http://list.flora.org/mailman/listinfo/flora-help
_______________________________________________
Flora-help mailing list
Flora-help@list.flora.org
http://list.flora.org/mailman/listinfo/flora-help
Read: [next] [previous] message
List: [newer] [older] articles
Please read the FLORA.org Terms and Conditions before you submit information to FLORA.org
Join the Blue Ribbon Online Free Speech Campaign
(USA) (Canada) 		FLORA Community Web (FLORA.ORG) is sponsored by FLORA Community Consulting (FLORA.CA).