It depends on what's settable from a CGI variable. If you get the address where the mail is sent to and the body from the Web, any random user can use your Web server to send any spam they want to, by just calling your CGI script with proper parameters. If the script is hardcoded to send a message to just one user, then a spammer can't use it. If it's hardcoded to send a particular message body, a spammer can't use it for much.
The other thing to watch out for is what you let the script set on purpose, and what you may have accidentally let it set. For example, let's say you take just the From from the Web page, and everything else is hardcoded. If you just call sendmail like this:
then a spammer could set:open(SENDMAIL, "|/usr/lib/sendmail -t"); print SENDMAIL "To: webmaster\nFrom: $mailfrom\n\nThis is the body\n") +; close(SENDMAIL)
$mailfrom="joe@spammer.com\nTo: spam-recipient1@aol.com\n\nThis is the + spammer's message body\n.\n"; </pre> to cause you to send arbitrary mail to arbitrary users.
In reply to Re: Re: Re: Formmail with Perl
by sgifford
in thread Formmail with Perl
by Anonymous Monk
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |