Wil — Wed, 19 Feb 2003 09:50:11 +0000

Rayna,

Matt's Script Archive has been totally secured now and relaunched under a new name. Thanks for the London Perl Mongers groups, they've developed a totally secure versions of all his scripts that can be a "drop-in" replacement. You don't have to edit anything on your site.

Check out:

http://nms-cgi.sourceforge.net/

For more information.

Rayna — Wed, 19 Feb 2003 06:33:59 +0000

Thanks Mark! I really appreciate all the help!

Mark Hensler — Wed, 19 Feb 2003 06:22:21 +0000

Simply hard code the recipient email. When your contactus.html form submits to contactus.php, have the "To" email hardcoded in the PHP code, and remove the hidden field from your form.

<?php
mail(\"you@your.com\", $subject_from_form, $message_from_form, \"From: $from_name <$from_email>\");
?>

Rayna — Wed, 19 Feb 2003 04:17:45 +0000

Thank you for the explanation Mark.

So since the form handler I am currently using will never be secure can anyone recommend a form handler I can switch to that will not be vulnerable to spam?

Thanks again Mark!!

Mark Hensler — Wed, 19 Feb 2003 01:57:40 +0000

If someone sees in the HTML source code, or in the GET querystring, a 'To' or 'Recipient' email address. They can send fake requests to the server with different headers.

For example. If you have a script (on contactus.html) that has a hidden field called "to_email" and a default value of "info@your.com". Your form sends it's data via POST to (action) "contactus.php". Additional fields called "from_email", "from_name", "message". Then I could spam your form like so:

First, create some fake HTTP Request headers:

POST /contactus.php HTML/1.1
Connection: Keep-Alive
User-Agent: You've been had.
Accept-Language: en-US
Referrer: <a href="http://your.coom/contactus.html" class="bb-url">http://your.coom/contactus.html</a>

to_email=spam@spam.com&from_email=you@your.com&from_name=Sucker&message=This is my spam email. Muhahaha!

'Then I simply open a TCP/IP connection to your host, send my HTTP Request header, read the HTTP Response, and close the connection. Your server won't be able to tell that the data wasn't submitted form your own form on your own site, and will go right ahead and send spam@spam.com an email.

Now imagine I dropped this functionality into a program with an email database. I simply loop through thousands of emails, sending off spam email using your complementary mail services to do my dirty work.

And, the recipients can only trace it back to you. In order to catch me, you have to examine your access_log files (from apache) to get an IP. Then you have to find who owns the IP, and who had the IP at the time of the incident (easy for static IP, harder for dynamic IP).

Rayna — Tue, 18 Feb 2003 22:37:43 +0000

mairving - I am using a linux box with Ensim

Busy - Forgive me this is not my area at all so please be patient. Can you explain to me how seeing what happens via URL makes the script more vulnerable?

I don't allow form handlers on my server either really....there are a few but they are in php and not an issue. This one was MINE that everyone on my server was using. I figured at least I would have control over it if there were issues.

Busy — Tue, 18 Feb 2003 22:14:02 +0000

If your using a script that allows people to see whats happening via the URL you'll always have trouble, Just looking at your source code I can see how easy it would be to spam.
Use a server side script like PHP, ASP etc that you can validate the contents (don't use javascript) and even set limits on posting messages without any of it being seen.
formmail isn't very secure and the older versions get hacked all the time because anyone can go to your server and do a request in the URL and get your details or set stuff. My host has had so many people being attacked via formmail, formmail is no longer allowed, unless its the latest version with addons.

things you don't want in your forms are recipient, redirect, required or any other hidden value.

so thats two ways of breaking your code, via a request and via your hidden tags

mairving — Tue, 18 Feb 2003 22:13:11 +0000

It could be someone using your mailserver as a relay. What kind of system is it (2000, 'nix)?