Beefy Boxes and Bandwidth Generously Provided by pair Networks
go ahead... be a heretic
 
PerlMonks  

Comment on

( #3333=superdoc: print w/ replies, xml ) Need Help??
One of our ancient remailer scripts has finally been compromised. Someone discovered that it uses an ancient method to pass infomation to sendmail: a pipe directly to sendmail - the worst way to send email from a script.

I'm rewriting the thing with an extra eye for security and configurability (so that I can reuse it across our sites, if/when needed), and I want to make sure I've covered all the bases since the PHB keeps throwing "what if ...." scenarios at me.

I've already come up with the following to secure this thing:

  • using the -T switch (which isn't in the original)
  • using MIME::Lite to create the message rather than just  printing to sendmail
  • using Mail::Address or something similar to validate the "To:" field in the messages. i'll probably also make sure that only *one* value is in the "To:" field
  • (not security related) using Config::General to allow for config file creation with an eye for deploying the remailer across sites.
I know that checking for  $ENV{HTTP_REFERER} isn't a great option, because that can be spoofed. (the person(s) exploiting this hole in the existing remailer have already spoofed IPs to allow for more hits to the script.

Does adding some form of key/ session_id buy any security? I think not, because it would be just another thing that needs to be passed in the form, and enough brute-force attacks would crack that too ...

Any other suggestions for making this thing as locked down as possible?


In reply to securing a remailer by geektron

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":



  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • Outside of code tags, you may need to use entities for some characters:
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.
  • Log In?
    Username:
    Password:

    What's my password?
    Create A New User
    Chatterbox?
    and the web crawler heard nothing...

    How do I use this? | Other CB clients
    Other Users?
    Others making s'mores by the fire in the courtyard of the Monastery: (6)
    As of 2014-10-21 00:03 GMT
    Sections?
    Information?
    Find Nodes?
    Leftovers?
      Voting Booth?

      For retirement, I am banking on:










      Results (93 votes), past polls