|
|||||||||
|
|||||||||
| |||||||||
|
|||||||||
|
|||||||||
| |||||||||
|
|
|
| |||||||||
 |
|
|
«
Previous Thread
|
Next Thread
»
|
Thread Tools | Search this Thread | Rate Thread | Display Modes |
Dev Shed Forums Sponsor:
|
|
|
|
#1
May 3rd, 2001, 10:10 AM
|
|||
|
|||
|
For two days, someone was relaying hundreds (probably thousands) of pieces of junk email through a server I maintain. My provider was no help, pointing out that the antispam/antirelay software they've installed takes care of all that. But, there it was.
Turns out they were using the formmail.pl (Matt Wright's version) script in my cgi-bin. Apparently, unless you've hard coded the recipient in the script itself, anyone, using their browser can perform this simple trick (yes, I did it successfully myself; and I'm not going to put the code here). Perhaps that wasn't the problem, but as soon as I removed that script, the relaying stopped that instant.
__________________
"Whatever can be said can be said clearly." (Ludwig Wittgenstein)
|
|
#2
May 3rd, 2001, 03:23 PM
|
|||
|
|||
|
are you using the referrers array?
|
|
#3
May 3rd, 2001, 04:14 PM
|
|||
|
|||
|
I'm assuming you're talking about this section in the script:
# @referers allows forms to be located only on servers which are defined # # in this field. This security fix from the last version which allowed # # anyone on any server to use your FormMail script on their web site. # @referers = ('worldwidemart.com','206.31.72.203'); That has to do with where a particular form can reside, not with who can use the script. I did indeed have that part all filled out. It does not matter, if someone knows you have formmail installed. Unless the recipient also is hard coded, in the formmail.pl script, anyone can send mail to anyone just using their browser's address bar. While I'm not going to post the script to do this here (nor will I distribute it via email), I will tell you that I found it on the web on one of those "all about hacking" sites. I copied it, pasted it in my address bar, changed the sample recipient and message, and successfuly sent mail. I'm not kidding about this. This is no joke. My suggestion is hard code the recipient or get formmail off your server.
|
|
#4
May 4th, 2001, 08:13 AM
|
|||
|
|||
|
Well, if you never want to be able to call the script from the command line, I suggest you try this:
Find these lines ( on the version I had it was around line 119 ). Code:
if ($ENV{'REQUEST_METHOD'} eq 'GET') {
# Split the name-value pairs
@pairs = split(/&/, $ENV{'QUERY_STRING'});
}
And change it to something like: Code:
if ($ENV{'REQUEST_METHOD'} eq 'GET') {
&error('request_method');
}
Simple as that, it should work, and people should no longer be allowed to call formmail from the command line.
|
|
| Viewing: Dev Shed Forums > Programming Languages > Perl Programming > Serious Formmail Problem |
| Thread Tools | Search this Thread |
| Display Modes | Rate This Thread |
|
|
 |
|
|
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
Linear Mode
