Professional Web Applications Themes

formmail.cgi problem - PERL Modules

Hi, I have found a cgi-script to send the result of a form to my e-mail address. But it doesn't work. I know nothing about cgi scripts. I hope someone can help me. Thanks. The script: #!/usr/bin/perl -wT # # NMS FormMail Version 3.12c1 # use strict; use vars qw( $DEBUGGING $emulate_matts_code $secure %more_config $allow_empty_ref $max_recipients $mailprog referers allow_mail_to recipients %recipient_alias valid_ENV $date_fmt $style $send_confirmation_mail $confirmation_text $locale $cht $no_content $double_spacing $wrap_text $wrap_style $postmaster ); # PROGRAM INFORMATION # ------------------- # FormMail.pl Version 3.12c1 # # This program is licensed in the same way as Perl # itself. You are free ...

  1. #1

    Default formmail.cgi problem

    Hi,

    I have found a cgi-script to send the result of a form to my e-mail address.
    But it doesn't work. I know nothing about cgi scripts. I hope someone can
    help me.

    Thanks.

    The script:

    #!/usr/bin/perl -wT
    #
    # NMS FormMail Version 3.12c1
    #

    use strict;
    use vars qw(
    $DEBUGGING $emulate_matts_code $secure %more_config
    $allow_empty_ref $max_recipients $mailprog referers
    allow_mail_to recipients %recipient_alias
    valid_ENV $date_fmt $style $send_confirmation_mail
    $confirmation_text $locale $cht $no_content
    $double_spacing $wrap_text $wrap_style $postmaster
    );

    # PROGRAM INFORMATION
    # -------------------
    # FormMail.pl Version 3.12c1
    #
    # This program is licensed in the same way as Perl
    # itself. You are free to choose between the GNU Public
    # License <http://www.gnu.org/licenses/gpl.html> or
    # the Artistic License
    # <http://www.perl.com/pub/a/language/misc/Artistic.html>
    #
    # For help on configuration or installation see the
    # README file or the POD doentation at the end of
    # this file.

    # USER CONFIGURATION SECTION
    # --------------------------
    # Modify these to your own settings. You might have to
    # contact your system administrator if you do not run
    # your own web server. If the purpose of these
    # parameters seems unclear, please see the README file.
    #
    BEGIN
    {
    $DEBUGGING = 1;
    $emulate_matts_code= 0;
    $secure = 1;
    $allow_empty_ref = 1;
    $max_recipients = 5;
    $mailprog = '/usr/sbin/sendmail -oi -t';
    $postmaster = 'marceldonsdeli.com';
    referers = ();
    allow_mail_to = qw(respuestadonsdeli.com);
    recipients = ();
    %recipient_alias = ();
    valid_ENV = qw(REMOTE_HOST REMOTE_ADDR REMOTE_USER
    HTTP_USER_AGENT);
    $locale = '';
    $cht = 'iso-8859-1';
    $date_fmt = '%A, %B %d, %Y at %H:%M:%S';
    $style = '/css/nms.css';
    $no_content = 0;
    $double_spacing = 1;
    $wrap_text = 0;
    $wrap_style = 1;
    $send_confirmation_mail = 0;
    $confirmation_text = <<'END_OF_CONFIRMATION';
    From: [email]marceldonsdeli.com[/email]
    Subject: form submission

    Thank you for your form submission.

    END_OF_CONFIRMATION


    Marcel Guest

  2. #2

    Default Re: formmail.cgi problem

    Marcel wrote:
    > Hi,
    >
    > I have found a cgi-script to send the result of a form to my e-mail address.
    > But it doesn't work. I know nothing about cgi scripts. I hope someone can
    > help me.
    For money, sure. Otherwise check the cgi ng, read the doentation that
    came with it. Many CGI scripts "found for free" have major security
    issues. If you know nothing about CGI, find some who does.

    I see often scans in my access_logs for scripts with flaws.

    --
    John MexIT: [url]http://johnbokma.com/mexit/[/url]
    personal page: [url]http://johnbokma.com/[/url]
    Experienced Perl programmer available: [url]http://castleamber.com/[/url]
    John Bokma Guest

  3. #3

    Default Re: formmail.cgi problem

    Thank you, John, I was hoping I might find some one here. I was under the
    impression that these scripts were fairly standard and that just a few
    variables had to be adjusted to one's particular situation. I didn't realize
    that there were so many different types of cgi-scripts just to send some
    results of a form to an e-mail address.

    Well, I guess I'll have to look elsewhere then.

    Thx,
    Marcel


    "John Bokma" <postmastercastleamber.com> wrote in message
    news:40a13604$0$213$58c7af7enews.kabelfoon.nl...
    > Marcel wrote:
    >
    > > Hi,
    > >
    > > I have found a cgi-script to send the result of a form to my e-mail
    address.
    > > But it doesn't work. I know nothing about cgi scripts. I hope someone
    can
    > > help me.
    >
    > For money, sure. Otherwise check the cgi ng, read the doentation that
    > came with it. Many CGI scripts "found for free" have major security
    > issues. If you know nothing about CGI, find some who does.
    >
    > I see often scans in my access_logs for scripts with flaws.
    >
    > --
    > John MexIT: [url]http://johnbokma.com/mexit/[/url]
    > personal page: [url]http://johnbokma.com/[/url]
    > Experienced Perl programmer available: [url]http://castleamber.com/[/url]

    Marcel Guest

  4. #4

    Default Re: formmail.cgi problem

    Hi Marcel!

    Well, up to now I'm not familiar with using Perl *modules* and in the past I
    always used to write Perl scripts "from scratch".
    But perhaps I can help you with providing the source code for a simple email
    form, written in "conventional" Perl.

    You can get it from
    [url]http://www.dipl-ing-kessler.de/developer/freigabe/email/index.htm[/url]

    If you have further questions you can contact me via this email form as a
    "working example" on the main page.

    Best regards,

    Markus



    Marcel schrieb:
    > Thank you, John, I was hoping I might find some one here. I was under the
    > impression that these scripts were fairly standard and that just a few
    > variables had to be adjusted to one's particular situation. I didn't realize
    > that there were so many different types of cgi-scripts just to send some
    > results of a form to an e-mail address.
    >
    > Well, I guess I'll have to look elsewhere then.
    >
    > Thx,
    > Marcel
    >
    > "John Bokma" <postmastercastleamber.com> wrote in message
    > news:40a13604$0$213$58c7af7enews.kabelfoon.nl...
    > > Marcel wrote:
    > >
    > > > Hi,
    > > >
    > > > I have found a cgi-script to send the result of a form to my e-mail
    > address.
    > > > But it doesn't work. I know nothing about cgi scripts. I hope someone
    > can
    > > > help me.
    > >
    > > For money, sure. Otherwise check the cgi ng, read the doentation that
    > > came with it. Many CGI scripts "found for free" have major security
    > > issues. If you know nothing about CGI, find some who does.
    > >
    > > I see often scans in my access_logs for scripts with flaws.
    > >
    > > --
    > > John MexIT: [url]http://johnbokma.com/mexit/[/url]
    > > personal page: [url]http://johnbokma.com/[/url]
    > > Experienced Perl programmer available: [url]http://castleamber.com/[/url]
    Markus R. Ke▀ler Guest

  5. #5

    Default Re: formmail.cgi problem

    On Tue, 11 May 2004 20:37:46 +0200, Marcel wrote:
    > Subject: formmail.cgi problem
    > From: "Marcel" <mkaptijnya.com>
    > Newsgroups: comp.lang.perl.modules
    > Date: Tue, 11 May 2004 20:37:46 +0200
    >
    > Hi,
    >
    > I have found a cgi-script to send the result of a form to my e-mail address.
    > But it doesn't work. I know nothing about cgi scripts. I hope someone can
    > help me.
    What do you mean by "it doesn't work"? I'm usre that if you describe your
    problems to the peeple at [email]nms-cgi-supportlists.sourceforge.net[/email] then
    they'll be very happy to help you.

    And, yes, the nms programs _are_ secure.

    Dave...

    Dave Cross Guest

  6. #6

    Default Re: formmail.cgi problem


    "Markus R. Ke▀ler" wrote:
    > But perhaps I can help you with providing the source code for
    > a simple email form, written in "conventional" Perl.
    >
    > You can get it from
    > [url]http://www.dipl-ing-kessler.de/developer/freigabe/email/index.htm[/url]

    Woah! Security? A perfect example of what John Bokma was talking about
    earlier in this thread.

    Isn't this effectively an open relay? I think I can abuse it to do all sorts
    of interesting things (e.g., forge mail to any address apparently from any
    address, and not just to/from the given address (as if that weren't bad
    enough)). Let me expand on this a little:

    One idea: What happens if I put "To: victim <someonetospamfoo.com>" in the
    actual message?

    Well, not too much. The double linefeed after the headers means that this
    ends up in the message, and isn't pd by sendmail.

    print MAIL "Subject: $FORM{'Betreff'}\n\n";

    For my attack to be successful, I need to get my spoofed header into the top
    of the data passed to the sendmail command.

    Taking a closer looking at the script, I see that the only validation of
    form data is after this line:

    ### Error message: Email address only valid when there's 1 '' and >0 '.'

    I hypothesise that by inserting suitable data into the HTML input fields
    Kunde_Name or Betreff I can add all of the headers that I like. I might even
    be able to obscure the ones that are added by the script, depending on what
    your sendmail implementation does with repeated headers. Remember that I
    don't actually need to use your HTML form to submit the data to the CGI.

    Let's be careful out there!

    Martin.


    Martin Carpenter Guest

Similar Threads

  1. FormMail help needed
    By gpots in forum Macromedia Dynamic HTML
    Replies: 0
    Last Post: November 1st, 01:30 AM
  2. FormMail
    By Maurizio Forneris in forum Macromedia Flash
    Replies: 1
    Last Post: September 30th, 03:30 PM
  3. [php] formmail.pl formmail.php
    By John Taylor-Johnston in forum PHP Development
    Replies: 1
    Last Post: September 22nd, 02:23 AM
  4. Formmail.asp access denied
    By Matt W. in forum ASP
    Replies: 2
    Last Post: September 9th, 01:32 PM
  5. formmail question PLEASE HELP
    By Alan Ames in forum Macromedia Dreamweaver
    Replies: 3
    Last Post: July 10th, 02:01 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139