[Date Prev][Date Next][Thread Prev][Thread Next][Minivend by date ][Minivend by thread ]

Re: [mv] Contact Us/ Multiple FeedBack Pages/Multiple Email Address es

To: minivend-users@minivend.com
Subject: Re: [mv] Contact Us/ Multiple FeedBack Pages/Multiple Email Address es
From: jojo@buchonline.net
Date: Wed, 1 Dec 1999 16:29:56 +0100 (CET)
In-Reply-To: <Pine.OSF.3.95.991201092532.23622B-100000@josephus.furph.com>

Larry,

thank you very much for your hint!

In my own codes, i use one email address in my output.html files. This
is not changeable. In my own another page, i don't use any hidden
variable for the email address. I have more other variables in this page
and in my own output.html files, it checks the value of the variables
([if value name], [if value city] and so on) and the email go out, if
all variables are not empty!

Sorry!

Joachim


On  1 Dec, Larry Leszczynski wrote:
> ******    message to minivend-users from Larry Leszczynski <larryl@furph.com>     ******
> 
> Hi All -
> 
> jojo's approach to solving the feedback form problem is good, but in
> the interest of security...
> 
>> <FORM ACTION="http://__SERVER_NAME____CGI_URL__/postout?[data session id]"
>>       METHOD="POST">
>> [L]Subject[/L] : <SELECT NAME="subject">
>>                          <OPTION VALUE="Hello world!"> Hello World!
>>                          <OPTION VALUE="Hello Karl!"> Hello Karl!
>>                  </SELECT>
>>  [L]Message[/L] :
>>        <TEXTAREA name="MESSAGE" cols=60 rows=20>[value MESSAGE]</TEXTAREA>
>   vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
>> <input type="hidden" Name="emailto" VALUE="kswisher@iolinc.net"> 
>   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>     Please don't do this!
> 
>> <input type="submit" Name=mv_todo VALUE="Senden"> 
>>  </FORM>
> 
> 
> It's a "Bad Idea (tm)" to put mailto or similar values as hidden form
> variables.  Anyone can save the form from their browser to a local file,
> edit the mailto address, and submit the form from that local copy.  That
> means they can use your mail server to send email anonymously to anyone
> else, and it will look like it came from you or your company.  (There is a
> well known case of an MIT script that was set up this way - another web
> site linked to that CGI program and set up their own anonymous emailing
> service which they offered to the public.) 
> 
> It would be much better to have the postout script itself determine the
> mailto address based on the Subject selection, or based on another select
> list of "To" destinations like "Sales", "Support", etc. 
> 
> (Not specifically a MiniVend topic I know, but there's been talk of credit
> card number security recently and it's important to think about all
> aspects of security...)
> 
> 
> Larry Leszczynski
> larryl@furph.com
> --
>   furph, Inc.	WWW/Unix/Windows Solutions	734-513-7763 (voice)
> info@furph.com	   http://www.furph.com		734-513-7759 (FAX)
> 
> -
> To unsubscribe from the list, DO NOT REPLY to this message.  Instead, send
> email with 'UNSUBSCRIBE minivend-users' in the body to Majordomo@minivend.com.
> Archive of past messages: http://www.minivend.com/minivend/minivend-list

-- 
Hans-Joachim Leidinger
buch online                 jojo@buchonline.net
Munscheidstr. 14            FAX: +49 209 1971449
45886 Gelsenkirchen         FAX: 0209 1671449

Follow-Ups:
- Re: [mv] Contact Us/ Multiple FeedBack Pages/Multiple Email Address es
  - From: kswisher@iolinc.net (Swisher, Karl)

References:
- Re: [mv] Contact Us/ Multiple FeedBack Pages/Multiple Email Address es
  - From: Larry Leszczynski <larryl@furph.com>

Prev by Date: Re: [mv] localization fails for some strings
Next by Date: Search :-(
Prev by thread: Re: [mv] Contact Us/ Multiple FeedBack Pages/Multiple Email Address es
Next by thread: Re: [mv] Contact Us/ Multiple FeedBack Pages/Multiple Email Address es
Index(es):
- Date
- Thread