Beefy Boxes and Bandwidth Generously Provided by pair Networks vroom
P is for Practical
 
PerlMonks  

Re: Re: Re: Eliminating useless server information

by sulfericacid (Deacon)
on Oct 14, 2002 at 15:31 UTC ( #205116=note: print w/ replies, xml ) Need Help??


in reply to Re: Re: Eliminating useless server information
in thread Eliminating useless server information

I am using an html form to use the script below to send the actual message. I don't want it to say ANYTHING period in the from line, just a null space.

#!/usr/local/bin/perl ###### SpyderForm v1.0 ###### ## Created by Aaron Anderson ## ## sulfericacid@qwest.net ## ## website: http://secretrealmofme.hypermart.net/webstuff ;## ## Please read the readme file prior to installation. ## ## If you cannot find readme, dl a copy from my site! ## use strict; # Let's have some fun my'ing things, shall me? my %form; my $sendmail; my $webmaster; my $yourname; my $thanks; use CGI; my $query = CGI->new; print $query->header; %form = %{$query->Vars}; ##################### BEGIN EDITING THIS SECTION ##################### +######## $sendmail = "/var/qmail/bin/qmail-inject"; $webmaster = 'sulfericacid@qwest.net'; ( $thanks = <<'END_OF_THANKS' ) =~ s/^\s+//gm ; Thank you for visiting my website! Things are always changing so I hope you pop back again! If you asked any questions, please allow upto 24 hours for a response. END_OF_THANKS $yourname = 'Aaron'; # $signame = 'Aaron Anderson\n'; # $sigurl = 'www.yourdowmain.com\n";; #################### STOP EDITING FOR NOW ############################ +######### ### Make sure things are being completed, die slackers! if ($webmaster eq "") { print "Webmaster, please include your email address!\n"; } if ($form{'usermail'} eq "") { print "Ok, buddy, how do you expect me to email you back if you FORGET + to leave yoru email address?!?\n"; } if ($form{'username'} eq "") { print "Please click back and type in your name so I can spy on you!\n" +; } if ($form{'message'} eq "") { print "Only a severe slacker would try to submit a form without leavin +g a message!\n"; } # Mail to Webmaster open (MAIL, '|-', "$sendmail -t") or die $!; print MAIL "To: $webmaster\n"; print MAIL "From: $form{'usermail'}\n"; print MAIL "Subject: Insert subject here!\n\n"; print MAIL "Name- $form{'username'}\n"; print MAIL "Url- $form{'userweb'}\n"; print MAIL "Message- $form{'message'}\n"; print MAIL "Ip- $ENV{'REMOTE_ADDR'}\n"; close (MAIL); # Mail to User open (MAIL, '|-', "$sendmail -t") or die $!; print MAIL "To: $form{'usermail'}\n"; print MAIL "From: $form{'weburl'}\n"; print MAIL "Subject: Thank you for signing my form!\n\n"; print MAIL "$thanks\n"; print MAIL "You said:\n"; print MAIL "$form{'message'}\n"; close (MAIL); # Let's give them something to look at, might as well, they were nice +enough to fill out the form! ####################### BEGIN EDITING HERE 2 ######################### +############# print <<end_of_results; <html> <head> <title>Results Page</title> </head> <table width="75%" border="0"> <tr> <td colspan="2"> <p>Thank you for filling out the form. If you are awaiting assis +tance and you asked a question, please allow upto 24 hours for my to get + back to you.</p> <p>- $yourname</p> </td> </tr> <tr> <td colspan="2"><font color="#9933CC">Here is a copy of what you s +ent...</font></td> </tr> <tr> <td width="9%"><font color="#666666">name:</font></td> <td width="91%"><font color="#999999">$form{'username'}</font></td +> </tr> <tr> <td width="9%"><font color="#666666">email:</font></td> <td width="91%"><font color="#999999">$form{'usermail'}</font></td +> </tr> <tr> <td width="9%"><font color="#666666">url:</font></td> <td width="91%"><font color="#999999"><a href="$form{'weburl'}">$f +orm{'weburl'}</a></font></td> </tr> <tr> <td width="9%"><font color="#666666">message:</font></td> <td width="91%"><font color="#999999">$form{'message'}</font></td> </tr> <tr> <td width="9%"><font color="#666666">Rec. IP:</font></td> <td width="91%"><font color="#999999">$ENV{'REMOTE_ADDR'}</font></ +td> </tr> <tr> <td width="9%"> </td> <td width="91%"> </td> </tr> </table> end_of_results


Comment on Re: Re: Re: Eliminating useless server information
Download Code
•Re: Re: Re: Re: Eliminating useless server information
by merlyn (Sage) on Oct 14, 2002 at 16:05 UTC
    This script can be abused. I can insert newlines into the usermail field and have the contents emailed to anyone I want.

    If you've ever gotten SPAM that started out as something like "here is the contents of your feedback form", followed by some spam, it's from a script like this.

    Please do not deploy this script. Your server will be blackballed within hours of the first SPAM sent using it. Then good luck getting back on the good side of the blacklisters.

    Additionally, I think this is based on a common script which has this flaw (is it Matt Wright's "mailform", or something like that?), so the following is a lie:

    ## Created by Aaron Anderson ## sulfericacid@qwest.net
    It's not nice to lie within a community of contributors. {sigh}

    -- Randal L. Schwartz, Perl hacker

Dangers of rolling your own mail script
by swiftone (Curate) on Oct 14, 2002 at 16:37 UTC
    Many thanks to those in the chatterbox that pointed out some of these comments, particularly perrin and merlyn. This comment should be considered a combined comment.

    There are many dangers inherent in rolling your own mail script. (Matt Wright managed to expose almost all of them, so you can search perlmonks and/or the web and newsgroups if you want excrutiating detail.)

    merlyn correctly pointed out that your script is ripe for spam abuse. And don't think they won't use it.

    First, there is a project called NMS that creates solid "simple" scripts like this that are audited by the community for security holes. I'd recommend looking there first in the future. In particular, look at their formmail script. The code is well documented, and it can prevent the spam relay concerns, as well as others.

    Second, while you module makes use of the CGI module, you don't use any of the Mail::* modules. I recommend using a module for this sort of thing: It increases portability, and centralizes the functionality so it easy to upgrade security holes if/when they are discovered.

    Third, you don't make use of taint checking. While all CGI scripts should arguably use taint checking, scripts that pass said data to other programs need it all the more.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://205116]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others having an uproarious good time at the Monastery: (5)
As of 2014-04-20 11:54 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    April first is:







    Results (485 votes), past polls