|
|
|
|
|
|
by elric
1190 days ago
|
|
|
Input validation is important. PHP's mail() function has a parameter for "extra headers", which is often used to construct a From header on contact forms. This was exploited very frequently back in the early 2000s. I hope people have gotten more careful since then ... The way it worked was that the "from" email address could contain CRLF and then a bunch of extra headers, even a message body, which would simply get injected. |
|
|
And nobody has learned the lesson that “all user data is hostile” yet.