Re: Re: Formmail with Perl

When I did a formmail type script I just composed the email into a scalar and did a system of sendmail... Since this thread is on that topic..is this bad form? Or is it something that could be used to accomodate this task? I'm failing to understand somethings I'm sure.

edit: My script only went to a certain set of people, It was for computer lab assistants to start a paper trail of a lab machine's downtime. At the time I didn't think that it was important to build any more security in that script. If I had it to do over I would try and find a better way to do it.

Is there a way to check the source of the CGI request? making sure the request was only called from your page would do the trick if that's possible.

Comment on Re: Re: Formmail with Perl

Replies are listed 'Best First'.
Re: Re: Re: Formmail with Perl by sgifford (Prior) on Sep 24, 2003 at 17:45 UTC
It depends on what's settable from a CGI variable. If you get the address where the mail is sent to and the body from the Web, any random user can use your Web server to send any spam they want to, by just calling your CGI script with proper parameters. If the script is hardcoded to send a message to just one user, then a spammer can't use it. If it's hardcoded to send a particular message body, a spammer can't use it for much. The other thing to watch out for is what you let the script set on purpose, and what you may have accidentally let it set. For example, let's say you take just the From from the Web page, and everything else is hardcoded. If you just call sendmail like this: `open(SENDMAIL, "\|/usr/lib/sendmail -t"); print SENDMAIL "To: webmaster\nFrom: $mailfrom\n\nThis is the body\n") +; close(SENDMAIL)` [download] then a spammer could set: `$mailfrom="joe@spammer.com\nTo: spam-recipient1@aol.com\n\nThis is the + spammer's message body\n.\n"; </pre> to cause you to send arbitrary mail to arbitrary users.` [download]	[reply] [d/l] [select]

Replies are listed 'Best First'.

Re: Re: Re: Formmail with Perl
by sgifford (Prior) on Sep 24, 2003 at 17:45 UTC

It depends on what's settable from a CGI variable. If you get the address where the mail is sent to and the body from the Web, any random user can use your Web server to send any spam they want to, by just calling your CGI script with proper parameters. If the script is hardcoded to send a message to just one user, then a spammer can't use it. If it's hardcoded to send a particular message body, a spammer can't use it for much.

The other thing to watch out for is what you let the script set on purpose, and what you may have accidentally let it set. For example, let's say you take just the From from the Web page, and everything else is hardcoded. If you just call sendmail like this:

open(SENDMAIL, "|/usr/lib/sendmail -t");
print SENDMAIL "To: webmaster\nFrom: $mailfrom\n\nThis is the body\n")
+;
close(SENDMAIL)
[download]

$mailfrom="joe@spammer.com\nTo: spam-recipient1@aol.com\n\nThis is the
+ spammer's message body\n.\n";
</pre>
to cause you to send arbitrary mail to arbitrary users.
[download]

[reply]
[d/l]
[select]