|
Hans Castorp has asked for the wisdom of the Perl Monks concerning the following question:
Hello Most Holy Ones
Update:
I opened up a can of worms with this one, but they'd been in there so long it was time to let them out. Since I asked this question, I have implemented all new forms on our website, and *none* of them use any version of FormMail.pl. Thank you to everyone for your input!
(end of update)
I have been trying to figure out how to put a honeypot in a cgi script that validates a complex form. The cgi script is based on that old, security-flawed chestnut Formmail.pl.
What I've done is inserted a bogus field in the form, hidden by css, and I want to filter for that field in the cgi--see if it's empty, and if it's not print a message and exit the program. This is what I came up with, and it's breaking a script that otherwise works:
elsif (($name{'bogusfield'}) && ($name{'bogusfield'}) ne ' ') {
print <h3>"Thank you. Your request has been submitted."</h3>;
exit ();
}
I'm not sure whether it is the code I've written that is wrong, or where I'm putting it. I am inserting it in the sub to parse the form, which seems logical to me, but maybe I need a separate subroutine for this?
Here is the code to parse the form, with the honeypot code in it:
sub parse_form {
if ($ENV{'REQUEST_METHOD'} eq 'GET') {
# Split the name-value pairs
@pairs = split(/&/, $ENV{'QUERY_STRING'});
}
elsif ($ENV{'REQUEST_METHOD'} eq 'POST') {
# Get the input
read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
# Split the name-value pairs
@pairs = split(/&/, $buffer);
}
else {
&error('request_method');
}
foreach $pair (@pairs) {
($name, $value) = split(/=/, $pair);
$name =~ tr/+/ /;
$name =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
$value =~ tr/+/ /;
$value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
# If they try to include server side includes, erase them, so th
+ey
# aren't a security risk if the html gets returned. Another
# security hole plugged up.
$value =~ s/<!--(.|\n)*-->//g;
# Create two associative arrays here. One is a configuration ar
+ray
# which includes all fields that this form recognizes. The othe
+r
# is for fields which the form does not recognize and will repor
+t
# back to the user in the html return page and the e-mail messag
+e.
# Also determine required fields.
if ($name eq 'recipient' ||
$name eq 'subject' ||
$name eq 'email' ||
$name eq 'realname' ||
$name eq 'redirect' ||
$name eq 'bgcolor' ||
$name eq 'background' ||
$name eq 'link_color' ||
$name eq 'vlink_color' ||
$name eq 'text_color' ||
$name eq 'alink_color' ||
$name eq 'title' ||
$name eq 'sort' ||
$name eq 'print_config' ||
$name eq 'return_link_title' ||
$name eq 'return_link_url' && ($value)) {
$CONFIG{$name} = $value;
}
elsif (($name{'bogusfield}) && ($name{'bogusfield'}) ne ' ') {
print <h3>"Thank you. Your request has been submitted."</h3>;
exit ();
}
elsif ($name eq 'required') {
@required = split(/,/,$value);
}
elsif ($name eq 'env_report') {
@env_report = split(/,/,$value);
}
else {
if ($FORM{$name} && ($value)) {
$FORM{$name} = "$FORM{$name}, $value";
}
elsif ($value) {
$FORM{$name} = $value;
}
}
}
}
Does anyone know what is wrong? :-)
Many thanks!
|
Re: CGI Honeypot?
by Corion (Patriarch) on Jul 18, 2014 at 18:42 UTC
|
What does the error log on the server say?
While I see what might be the problem, I'm highly unwilling to let you continue to use formmail.pl as it is.
Please at least use the nms version for the formmail script.
Update: Also note that almost all spam bots will fill the field either with the default value you give it or a random value, so your honeypot would be mostly useless.
| [reply] |
|
|
Thanks Corion, for your concern and thoughts. I am working with old forms/scripts that were here for years before I came on the scene...and I am still very much a newbie figuring out how programming works. As I've struggled trying to find solutions for this, I've come across the dire warnings about Formmail.pl, and vow to rewrite these cgi scripts using a safer template - however, for now I just need to get this working.
re: your update comment - if I am looking for an empty field in order to allow the form to validate, and the bot fills the field in, how is that going to be useless? I'm not following you.
*Thanks for the nms link. :-)
| [reply] |
|
|
If you leave the field empty and expect it to be empty, most bots will do just that.
But there are also bots that will fill arbitrary values into fields.
In both cases, your form will be used to send spam.
| [reply] |
|
|
|
|
|
|
Sorry, Corion, I tried but can't get access to the error logs right now. I don't have those creds yet, and my fearless leader is not here.
| [reply] |
Re: CGI Honeypot?
by mr_mischief (Monsignor) on Jul 18, 2014 at 19:48 UTC
|
Using the formmail processor for Matt's Script Archive after having been warned about it being a spam-spewing nightmare is irresponsible. It's damn near sociopathic behavior.
The nms versions are basically drop-in replacements. If you are willing to change the logic (like your honeypot idea), drop in a replacement for the broken parts from the start.
| [reply] |
|
|
I *knew* I shouldn't check this on my day off, but I couldn't resist. My understanding of the danger of formmail.pl was that it posed an increased risk of spam to the people who used it--in other words, *we* might be more vulnerable to spam. And since we don't get all that much to begin with, I figured it was OK to let it hang for awhile until I had time to change over.
You know, I'm a freaking English major who is trying to figure this stuff out, and I hesitate with every ounce in me to ask questions because it effing hurts. You know? To be called a sociopath. Christ.
What is it with these forums? Why do people have to treat you like you're either trying to get them to give you the world, or you should understand already what you are trying to figure out?
I apologize for being ignorant, but that's just what I am. And no, I do not have all day every day to learn and think about Perl. I do my best. I'll try the "drop-in" replacement, but honestly, that doesn't seem to be the way this stuff works.
Maybe I'm wasting my time with Perl. Seems like the whole thing could be accomplished with php.
| [reply] |
|
|
The danger is a bit different. It's not about spam being directed at you, but rather span originating from your machines. The script could be used by a spammer to instruct your mail server to send spam. You might not care so much about the processor time of your servers or the network usage, but you might easily find yourself unable to send email, because your server would get blocked as a source of spam. You might find your whole network blocked, though I believe your internet provider would contact you beforehand.
Your post seems to be a textbook example of the XY Problem. Instead of telling us what the problem is and getting an easy to follow advice you've spent hours (I assume) trying to implement a non-solution. You are making things harder for yourself.
Jenda
Enoch was right!
Enjoy the last years of Rome.
| [reply] |
|
|
|
|
For perspective. Imagine someone walking into a gun club with a loaded homemade gun, finger on the trigger, pointing here and there asking about how to shoot better. FormMail.pl is an infamous zipgun and one of the main pillars upon which Perl-FUD was erected. It inspires nearly rabid responses. There’s no way you could know that. Hacker culture is grating and without caveats you’ll be treated as a hacker. Most of us earned our chops though thousands of hours of the pain you’ve just enjoyed. When someone asks us to donate that pain, sometimes it’s taken as an affront. :P Nobody wanted to be rude in fact though. Not you, not monks. Don’t take it personally.
Maybe I'm wasting my time with Perl. Seems like the whole thing could be accomplished with php.
It sure could. Or C or Java or Ruby or Python or JavaScript or Scala or… Jenda is right I think. We definitely will help you but maybe you should back-up to your original intent and describe what you’re trying to do.
Signed,
An English Major that got tired of being poor and unemployed :P
| [reply] |
|
|
|
|
You have been told at least twice now where to get a drop-in replacement for the horrible, buggy, insecure, widely abused, irresponsibly built code you are using. You have been told a number of times that the code is in fact horrible, buggy, insecure, widely abused, and irresponsibly built.
Now, if there's a piece of horrible, buggy, insecure, widely abused, irresponsibly built code is deployed purposefully by someone who knows of a safer alternative which takes almost no work to deploy what would you call that?
Are you on General Motors' side that it was okay to keep selling cars with buggy, dangerous ignition switches? Of course not. Are you okay with the infant toys that made it to market covered in lead paint? Of course not. When things are dangerously unfit for purpose, you're on the same page as any other reasonable person, I'm sure.
I never called you a sociopath. I said that to keep deploying Matt Wright's FormMail knowing what you now know would be irresponsible and bordering on sociopathic behavior. The difference between a sociopath and someone who isn't is that the sociopath willingly engages in sociopathic behavior on a regular basis. Far different from calling you someone who does, I'm hoping you don't. I'm hoping you won't put this piece of crud on servers, waiting for it to spam anyone and everyone.
If you want to see what Matt Wright says about Matt's Script Archive vs. the NMS project, take a look at his own page about it. Note where he says:
I would highly recommend downloading the nms versions if you wish to learn CGI programming. The code you find at Matt's Script Archive is not representative of how even I would code these days. My interests and activies have moved on, however, and I just have not found the time to update all of my scripts. One of the major reasons for this is that they work for many people. For this reason, I will continue to provide them to the public, but am also pleased to make you aware of well-coded alternatives.
The author of the code you're using suggests something else as better designed, better implemented, and better maintained. We linked to nms and suggested nms formmail a number of times now. Stop being defensive and start defending other people using the Internet. The nms team very likely has fixed more classes of exploit by starting from scratch than you'll ever be able to work into the MSA version.
| [reply] |
|
|
|
|
What is it with these forums?
The problem is that your post looks like a troll. Seriously, formmail.pl in 2014? I remember trying to get people to break that habit back in the 90's. Oh, and yeah, you want to fix it with one of those fake bot trap "honeypots" from the 90's too. I feel sorry for you if you're for real but this quacks like a troll.
| [reply] |
|
|
|
|
