Re: CGI and e-mail

Replies are listed 'Best First'.
Re^2: CGI and e-mail by u65 (Chaplain) on Dec 15, 2015 at 02:59 UTC
A tip of my hat to you, stevieb, for your consistent display of good manners, kindness, and setting the example for me (and some others) on how all SoPW should be treated.	[reply]
Re^2: CGI and e-mail by samemeee (Initiate) on Dec 16, 2015 at 15:58 UTC
!/usr/bin/perl -w #membershipread.cgi to be used with membership.html and memership.cgi +with membership.out print "Content-type:text/html\n\n"; print "<HTML><TITLE>LocalTime</TITLE>\n"; print "<BODY BGCOLOR=\"white\"><center>"; print "the time is ...."; ($sec,$min,$hr,$mday,$mon,$year,$wday) = localtime(time); # now let's make them pretty, suitable for display............ $today = (Sun,Mon,Tues,Wed,Thurs,Fri,Sat)[$wday]; $thismon = (Jan,Feb,March,April,May,June,July, August,September,October,November,December)[$mon]; $year = $year + 1900; $thismon = $mon + 1; $count = 0; $d="\$"; print " at precisely $hr:$min:$sec\n"; printf("%02d/%02d/%04d\n", $thismon, $mday, $year); print "</center></BODY></HTML>\n"; read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'}); @pairs = split(/&/, $buffer); %FORM = (); foreach $pair (@pairs) { $pair =~ s/\+/ /g; ($name, $value) = split(/=/, $pair); $name =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("c", hex($1))/eg; $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("c", hex($1))/eg; $value =~ s/\n/ /g; # replace newlines with spaces $value =~ s/\r//g; # remove hard returns $value =~ s/\cM//g; # delete ^M's $FORM{$name} = $value; } foreach $key("name","country","state","city","address","age","educatio +n","profession","email","media","opinion","comment","comment1") { # print "$key = $FORM{$key}<br>\n"; } open(OUTF,">>membership.out") or dienice("Couldn't membership.out for +writing: $!"); # This locks the file so no other CGI can write to it at the # same time... flock(OUTF,2); # Reset the file pointer to the end of the file, in case # someone wrote to it while we waited for the lock... $count = $count + 1; seek(OUTF,0,2); print OUTF "$count\|"; print OUTF "$FORM{'name'}\|"; print OUTF "$FORM{'country'}\|"; print OUTF "$FORM{'state'}\|"; print OUTF "$FORM{'city'}\|"; print OUTF "$FORM{'address'}\|"; print OUTF "$FORM{'age'}\|"; print OUTF "$FORM{'education'}\|"; print OUTF "$FORM{'profession'}\|"; print OUTF "$FORM{'email'}\|"; print OUTF "$FORM{'media'}\|"; print OUTF "$FORM{'opinion'}\|"; print OUTF "$FORM{'comment'}\|"; print OUTF "$FORM{'comment1'}\|"; print OUTF "$thismon\|"; print OUTF "$mday\|"; print OUTF "$year\n"; close(OUTF); print "<b>Thank you for your time, and appreciate your interest in our + membership.<br>\n"; print "<b>You will be receiving a letter congratulating you on becomin +g a member.\n"; print "<a href=\"http:\//corruptionmonitor.com\"><br>RETURN TO HOME PA +GE </a></b>\n"; $mailprog ='/usr/lib/sendmail'; $recipient ="support\@corruptionmonitor.com"; open (MAIL, "\| $mailprog $FORM{'email'}") or die "Could not open Mailp +rogram:"; print MAIL "TO : $FORM{'email'}\n"; print MAIL "FROM : $recipient\n"; print MAIL "Subject : Membership Application\n"; print MAIL "We have received your application for membership. In order + to consider your request, please just reply to this e-mail without p +utting anything in the message box.\n"; print MAIL "On day and date: $today: $thismon-$mday-$year \n"; print MAIL " \n"; close (MAIL); print <<EndHTML; </bodY></html> EndHTML sub dienice { my($msg) = @_; print "<h2>Error</h2>\n"; print $msg; exit; } [download]	[reply] [d/l]
Re^3: CGI and e-mail by soonix (Canon) on Dec 17, 2015 at 10:19 UTC
not relevant to the stated problem, but generally relevant: there is no (or I don't see any) check for email adresses like `my@address</etc/passwd` you don't check whether flock succeeds, the script goes on happily anyway possibly more... relevant: perhaps `/usr/lib/sendmail` isn't accessible to the CGI, e.g. if the web server runs in a chroot perhaps the mail is sent, but the server doesn't permit relaying or wants authentication possibly more...	[reply] [d/l] [select]
Re^4: CGI and e-mail by samemeee (Initiate) on Dec 18, 2015 at 01:11 UTC
Could you suggest how to fix the problem(s)? Thanks	[reply]
Re^5: CGI and e-mail by soonix (Canon) on Dec 18, 2015 at 09:29 UTC
Re^5: CGI and e-mail by Anonymous Monk on Dec 18, 2015 at 01:23 UTC
Re^6: CGI and e-mail by samemeee (Initiate) on Dec 20, 2015 at 00:08 UTC
Re^3: CGI and e-mail by afoken (Chancellor) on Dec 18, 2015 at 05:23 UTC
That code looks quite scary. No traces of `use strict`, taint mode not enabled, incomplete manual decoding of CGI parameters (instead of using one of the CGI modules), lots of error checks missing (read, flock), invoking sendmail with unverified parameters, using a single string instead of using the "secure pipe open" technique or using a perl-based mailer (the old but working MIME::Lite, the modern but more complex Email::Sender, ...) instead of sendmail The last problem makes the webserver vulnerable: Just imagine what happens when someone submits a form with the `email` value set to `bla@bla.bla;uname -a;ls /;cat /etc/passwd`. Alexander -- Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)	[reply] [d/l] [select]


good chemistry is complicated, and a little bit messy -LW
	PerlMonks