>>At 19:32 -0700 07/22/1999, Bruce Van Allen wrote: >>>1. Too many of us too many times find errors, security problems, or >>>poor handling of special cases in MW's scripts. I would guess many >>>have also learned some Perl the hard way by trying to fix these >>>scripts... ;-) >> >>You mean like FormMail.cgi? >> >>Richard Gordon >>-------------------- > > As a newbie to CGI programming and currently using Formmail, this caught > my attention. I am interested in learning more about the things in > Formmail that need to be fixed, particularly if there are any security > issues. > > Thanks, > Brian PMFJI: FormMail, in of itself, is harmless - it will allow your users to send mail as if they were someone else, but anyone who can program simple scripts in Perl can already do that. The biggest issue I found in FormMail is that you can get the script to mail out server files, if it is not set up properly. For that reason I quit using it sometime ago. I had expressed an interest in clp.misc to possibly start a group to rewrite some of the more popular scripts into a correct form, proper -w, strict, Taint safe versions, but no one seemed interested... Here is some starter code, if anyone is interested in replacing FormMail with one that addresses their own needs better. It's an AutoResponder by Jochen Wiedman, which I ahve changed somewhat, but it will give you some ideas about how to provide the FormMail functions yourself: #!/usr/local/bin/perl -w =pod =head1 NAME autoresponder - A script for receiving a mail and immediately replying. =head1 SYNOPSIS autoresponder [options] [filename] =head1 DESCRIPTION While installing a new mail server or client you typically are sending and receiving test mails over and over again. Even worse, you sometimes have to make a phone call and ask someone to send a mail to you. This script will help you in some cases by setting up an email address like autoresponder@company.com that will receive email addresses and immediately reply it back. =head1 INSTALLATION Install the prerequisite Perl modules, in particular Graham Barr's excellent Mailtools package. L<Mail::Internet(3)>. In /etc/mail/aliases or /etc/aliases, put lines like this: autoresponder: "| /usr/local/bin/autoresponder" owner-autoresponder: /dev/null autoresponder-owner: /dev/null Then do a "newaliases". Edit the autoresponder script and change the reply-to address to point back to one of the owner addresses. This should have the advantage that you won't see error messages generated by the autoresponder. =head1 SCRIPT CATEGORIES mailstuff =head1 PREREQUISITES The MailTools package, in particular the Mail::Internet module. L<Mail::Internet(3)>. =head1 OSNAMES any OS using sendmail or a compatible mail server =head1 AUTHOR Jochen Wiedmann Am Eisteich 9 72555 Metzingen Germany Email: joe@ispsoft.de =head1 SEE ALSO L<Mail::Internet(3)>, L<aliases(5)> =cut use strict; use diagnostics; ############################################################################ # # Configurable section # ############################################################################ my $REPLY_TO = 'root@localhost'; # # Use an entry like # # autoresponder-owner: /dev/null # # to suppress error messages from autoresponders replies. # ############################################################################ use Mail::Internet (); use Getopt::Long (); use vars qw($opt_debug $opt_verbose $opt_help); sub Usage() { print <<EOF; Usage: autoResponder [options] [filename] Reads an email from [filename] (default: stdin) and replies to the sender. Possible options are: --debug Turn on debugging mode. (Suppresses actions) --help Print this help message. --verbose Turn on verbose mode. EOF exit 1; } eval { Getopt::Long::GetOptions('debug', 'verbose', 'help') }; Usage() if $@ || $opt_help; $opt_verbose = 1 if $opt_debug; my $fh; if (@ARGV) { my $file = shift @ARGV; open(FILE, "<$file") or die "Failed to open $file: $!"; $fh = \*FILE; print "Reading mail from $file.\n" if $opt_verbose; } else { $fh = \*STDIN; print "Reading mail from STDIN.\n" if $opt_verbose; } my $msg = Mail::Internet->new($fh, 'Modify' => 0, 'MailFrom' => 'KEEP'); my @headers = @{$msg->head()->header()}; my @body = @{$msg->body()}; my @message = ("Hello from the E-Mail AutoResponder :]\n", "Your mail was received by the autoresponder on ", scalar localtime, ".\n", "Your mail was assigned the following (dss) Security Number: ", localtime, ".\n", "\n", "=== Your message's E-Mail Header, as sent:\n\n", @headers, "=== End of Headers\n", "\n", "=== Your message's E-Mail Body, as sent, follows:\n\n", @body, "=== End of Body\n", ); $msg = $msg->reply(); $msg->body(\@message); print("Replying to $REPLY_TO.\n") if $opt_verbose; $msg->head()->replace('Reply-To', $REPLY_TO); print("Replying message:\n", $msg->as_string()) if $opt_verbose; $msg->smtpsend() unless $opt_debug; HTH, -Sneex- :] ____________________________________________________________________ Bill Jones * Data Security Specialist * http://jacksonville.pm.org/ FCCJ * 501 W State St * Jacksonville, FL 32202 * 1 (904) 632-3089 __ __ __ __ __ / // /__ ____ ___ __ __ / // /__ _____/ /_____ ____ / _ / _ `/ _ \/ _ \/ // / / _ / _ `/ __/ '_/ -_) __/ /_//_/\_,_/ .__/ .__/\_, / /_//_/\_,_/\__/_/\_\\__/_/ /_/ /_/ /___/ Running LinuxPPC RedHat 5.0 (Hurricane) __ _ http://www.linuxppc.org / /(_)_ __ _ ___ __ http://www.apache.org / / | | '_ \| | | \ \/ / http://www.redhat.com / /__| | | | | |_| |> < http://www.perl.com \____/_|_| |_|\__,_/_/\_\ http://www.gimp.org ==== Want to unsubscribe from this list? ==== Send mail with body "unsubscribe" to macperl-webcgi-request@macperl.org