Hi samemeee, welcome to the Monastery...

Please provide the code you're working with (a clipped working piece if possible, if not) the whole script, along with the call you're making to it, and what your web server (I assume Apache) says... post *only* appropriate portions of the error and access logs. You'll probably want to sanitize this data.

Put all of the above within <code></code> tags. This separates what you want to say, with what you have that we can interpret copy/paste if necessary. We always ask that we get provided the problem, the code, a sample of expected input, and a sample of expected output.

Please refer to How do I post a question effectively?.

A tip of my hat to you, stevieb, for your consistent display of good manners, kindness, and setting the example for me (and some others) on how all SoPW should be treated.

!/usr/bin/perl -w

#membershipread.cgi to be used with membership.html and memership.cgi 
+with membership.out

print "Content-type:text/html\n\n";

print "<HTML><TITLE>LocalTime</TITLE>\n";
print "<BODY BGCOLOR=\"white\"><center>";
print "the time is ....";

($sec,$min,$hr,$mday,$mon,$year,$wday) = localtime(time);

# now let's make them pretty, suitable for display............
$today   = (Sun,Mon,Tues,Wed,Thurs,Fri,Sat)[$wday];
$thismon = (Jan,Feb,March,April,May,June,July,
            August,September,October,November,December)[$mon];
$year    = $year + 1900;
$thismon = $mon + 1;
$count = 0;
$d="\$";

print " at precisely  $hr:$min:$sec\n";

printf("%02d/%02d/%04d\n", $thismon, $mday, $year);

print "</center></BODY></HTML>\n";

read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});

@pairs = split(/&/, $buffer);

%FORM = ();

foreach $pair (@pairs) {
        $pair =~ s/\+/ /g;

        ($name, $value) = split(/=/, $pair);

        $name  =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("c", hex($1))/eg;
        $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("c", hex($1))/eg;
        $value =~ s/\n/ /g;    # replace newlines with spaces
        $value =~ s/\r//g;    # remove hard returns
        $value =~ s/\cM//g;    # delete ^M's

        $FORM{$name} = $value;
}

foreach $key("name","country","state","city","address","age","educatio
+n","profession","email","media","opinion","comment","comment1")

 {
# print "$key = $FORM{$key}<br>\n";
 }

open(OUTF,">>membership.out") or dienice("Couldn't membership.out for 
+writing: $!");

# This locks the file so no other CGI can write to it at the
# same time...

flock(OUTF,2);

# Reset the file pointer to the end of the file, in case
# someone wrote to it while we waited for the lock...

$count = $count + 1;

seek(OUTF,0,2);

  print OUTF "$count|";
  print OUTF "$FORM{'name'}|";
  print OUTF "$FORM{'country'}|";
  print OUTF "$FORM{'state'}|";
  print OUTF "$FORM{'city'}|";
  print OUTF "$FORM{'address'}|";
  print OUTF "$FORM{'age'}|";
  print OUTF "$FORM{'education'}|";
  print OUTF "$FORM{'profession'}|";
  print OUTF "$FORM{'email'}|";
  print OUTF "$FORM{'media'}|";
  print OUTF "$FORM{'opinion'}|";
  print OUTF "$FORM{'comment'}|";
  print OUTF "$FORM{'comment1'}|";
  print OUTF "$thismon|";
  print OUTF "$mday|";
  print OUTF "$year\n";
  
close(OUTF);

print "<b>Thank you for your time, and appreciate your interest in our
+ membership.<br>\n";
print "<b>You will be receiving a letter congratulating you on becomin
+g a member.\n";
print "<a href=\"http:\//corruptionmonitor.com\"><br>RETURN TO HOME PA
+GE </a></b>\n";


$mailprog ='/usr/lib/sendmail';
$recipient ="support\@corruptionmonitor.com";

open (MAIL, "| $mailprog $FORM{'email'}") or die "Could not open Mailp
+rogram:";

print MAIL "TO       : $FORM{'email'}\n";
print MAIL "FROM     : $recipient\n";
print MAIL "Subject  : Membership Application\n";
print MAIL "We have received your application for membership. In order
+ to consider your request, please just reply to this e-mail without p
+utting anything in the message box.\n";
print MAIL "On day and date: $today: $thismon-$mday-$year \n";
print MAIL " \n";

close (MAIL);


print <<EndHTML;
</bodY></html>
EndHTML

sub dienice {
           my($msg) = @_;
           print "<h2>Error</h2>\n";
           print $msg;
           exit;
}
[download]

That code looks quite scary. No traces of use strict, taint mode not enabled, incomplete manual decoding of CGI parameters (instead of using one of the CGI modules), lots of error checks missing (read, flock), invoking sendmail with unverified parameters, using a single string instead of using the "secure pipe open" technique or using a perl-based mailer (the old but working MIME::Lite, the modern but more complex Email::Sender, ...) instead of sendmail

The last problem makes the webserver vulnerable: Just imagine what happens when someone submits a form with the email value set to bla@bla.bla;uname -a;ls /;cat /etc/passwd.

Alexander

--
Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)

not relevant to the stated problem, but generally relevant:
• there is no (or I don't see any) check for email adresses like my@address</etc/passwd
• you don't check whether flock succeeds, the script goes on happily anyway
• possibly more...
relevant:
• perhaps /usr/lib/sendmail isn't accessible to the CGI, e.g. if the web server runs in a chroot
• perhaps the mail is sent, but the server doesn't permit relaying or wants authentication
• possibly more...

And your specific question is?