Problem with simple contact script.

[Mortgageloan2003]

I have a form below - I put a radio button for the person to select who they
want to email to instead of "hardcoding" this into the form. (thus the
spammers can't get my email addresses) the email addresses are set in the
script via an if elsif test. I run this on my Windows XP port of perl with the
-w and it simply can't find the path. I get an error 500 on the webserver. I
can't figure this out. I'm only a novice programmer. Any help is appreciated.
Scot King

Script:

#!usr/bin/perl
use CGI qw(param);
$towhom= param("towhom");
$name= param("name");
$email= param("email");
$comments= param("comments");
if ($towhom eq "loanofficer") {
$towhom = "loanofficer\@mortgage-pros.com";
} elsif ($towhom eq "marketing") {
$towhom="marketing\@mortgage-pros.com";
} elsif ($towhom eq "broker") {
$towhom="broker\@mortgage-pros.com";
}
open(SM,"|/usr/sbin/sendmail -oi -t");
print SM "From: $email\n";
print SM "To: $towhom\n";
print SM "Subject: Comments from $name\n";
print SM "$comments \n\n";
close SM;

And here's the form:

<html>
<head>
<meta name="description" content="We offer the lowest online mortgage rates
available. Approved with over 150 lenders nationwide">
<meta name="keywords" content="Low mortgage rates, mortgage rates, Mortgage,
morgage, mortgage calculator">
<!-- BEGIN LINKEXCHANGE CODE -->
<center><iframe src="http://leader.linkexchange.com/25/X613941/showiframe?"
width=468 height=60 marginwidth=0 marginheight=0 hspace=0 vspace=0
frameborder=0 scrolling=no>
<a href="http://leader.linkexchange.com/25/X613941/clickle" target="_top"><img
width=468 height=60 border=0 ismap alt=""
src="http://leader.linkexchange.com/4/X613941/showle?"></a></iframe><br><a
href="http://leader.linkexchange.com/4/X613941/clicklogo" target="_top"><img
src="http://leader.linkexchange.com/4/X613941/showlogo?" width=468 height=16
border=0 ismap alt="" valign="top"></a><br></center>
<!-- END LINKEXCHANGE CODE -->
<br>
<title>Contact PWC</title>
</head>
<body background="../pics/ocean.jpg">
<hr size=5 width=90%>
<table width="55%" align="center"><tr><td align="center">
This form will email your question or comments to your selected party.
</td></tr></table>
</center>
<p><p>
<hr size=5 width=90%>
<FORM METHOD="POST" ACTION="http://www.mortgage-pros.com/cgi-bin/email.cgi">
<center><table>
<tr>
<TD align="right">Please select to whom this email is to be sent:</TD>
<TD><input type="radio" name="towhom" value="loanofficer" checked="checked"
/>Loan Officer
<input type="radio" name="towhom" value="marketing" />Marketing
<input type="radio" name="towhom" value="broker" />Broker
</td></tr></table>

<table>
<tr>
<TD align="right">Name :</TD>
<TD align="left"><INPUT NAME="name" SIZE="40" MAXLENGTH="40"></TD></tr>
<tr>
<TD align="right">E-mail address :</TD>
<TD align="left" COLSPAN=2><INPUT NAME="email" SIZE="40"
MAXLENGTH="40"></td></tr></table>
<TEXTAREA align="center" NAME="comments" ROWS="8" COLS="55" WRAP="VIRTUAL"
VALUE="Please type in any comments or questions here"></TEXTAREA></P>
<INPUT TYPE=submit VALUE="Send In">
<INPUT TYPE=reset VALUE="Reset">
<input type=hidden name="background"
value="http://www.mortgage-pros.com/pics/ocean.jpg">
</FORM>
</center><br>
<table width="100%"><tr><td align="left">
<A href="http://www.relibrary.com"><img src="../pics/award.jpg"></A></td>
<td>
<!--BEGIN REAL ESTATE PROS SEARCH AWARD CODE - ALTERING THIS CODE WILL RESULT
IN TERMINATION OF ACCOUNT -->
<center>
<TABLE WIDTH=200 BGCOLOR="#000063" TABLE BORDERCOLOR="#000063" BORDER="1"
CELLPADDING=2 CELLSPACING=1>
<TR><TD WIDTH="30%" ALIGN=CENTER BGCOLOR="#000063">
<IMG
SRC="http://www.realestatepros.org/imgs/top10award.gif" WIDTH=56
WIDTH=56 HEIGHT=75 BORDER="0" ALT="top 10% award"></TD>
<TD WIDTH="70%" ALIGN=CENTER BGCOLOR="#ffce31">

Awarded Top 10% in the Nation for Consumer Satisfaction by
the Internet Consumer Group
<IMG SRC="http://www.realestatepros.org/imgs/moreinfo.gif"
WIDTH=55 WIDTH=55 HEIGHT=19 BORDER="0" VSPACE=3 ALT="more info"></TD>
</TR> </TABLE></center> <!-- END REAL ESTATE PROS AWARD CODE -->
</td></FONT> </center> <!-- END REAL ESTATE PRO'S AWARD CODE -->
<td align="right"><img src="../pics/equal.gif" Alt="Equal Opp.Lender">
<A href="/pages/urllist.htm"><IMG src="../pics/ocean.jpg" width=3 height=3
border=0></A>
</td></tr>
</TABLE>
<FONT SIZE=-2>
<hr size=5 width=100%>
<b>Equal Housing Lender<br>
2003 All Rights Reserved </b></FONT>
</body>
</html>

[Tom]

[email]mortgageloan2003@aol.com[/email] (Mortgageloan2003) wrote in message news:<20030908023513.10815.00000560@mb-m29.aol.com>...

> I have a form below - I put a radio button for the person to select who they
> want to email to instead of "hardcoding" this into the form. (thus the
> spammers can't get my email addresses) the email addresses are set in the
> script via an if elsif test. I run this on my Windows XP port of perl with the
> -w and it simply can't find the path. I get an error 500 on the webserver. I

..
..

> open(SM,"|/usr/sbin/sendmail -oi -t");

..
..

Try this...

open(SM,">/usr/sbin/sendmail") or die $!;

Tom
ztml.com

[Tad McClellan]

Mortgageloan2003 <mortgageloan2003@aol.com> wrote:

> I have a form below - I put a radio button for the person to select who they
> want to email to instead of "hardcoding" this into the form. (thus the
> spammers can't get my email addresses) the email addresses are set in the
> script via an if elsif test.

A hash would be nicer than a chain of if-elsif's.

> I run this on my Windows XP port of perl with the
> -w and it simply can't find the path. I get an error 500 on the webserver. I
> can't figure this out.

perldoc -q 500

My CGI script runs from the command line but not the
browser. (500 Server Error)

> I'm only a novice programmer.

Then you aren't ready for advanced applications such as CGI programs.

> Any help is appreciated.

Get it working from the command line first, _then_ move it
to the CGI environment.

> Script:
>
> #!usr/bin/perl

You should ask for all the help you can get:

use strict;
use warnings;
use CGI::Carp qw(fatalsToBrowser); # remove for production!

> use CGI qw(param);
> $towhom= param("towhom");
> $name= param("name");
> $email= param("email");
> $comments= param("comments");
> if ($towhom eq "loanofficer") {
> $towhom = "loanofficer\@mortgage-pros.com";
> } elsif ($towhom eq "marketing") {
> $towhom="marketing\@mortgage-pros.com";
> } elsif ($towhom eq "broker") {
> $towhom="broker\@mortgage-pros.com";
> }
> open(SM,"|/usr/sbin/sendmail -oi -t");
> print SM "From: $email\n";
> print SM "To: $towhom\n";

Who will your program send mail to when:

param("towhom") eq 'mortgageloan2003@aol.com' ?

(answer: To: [email]mortgageloan2003@aol.com[/email] )

Your program could be used to perform a denial-of-service attack,
against any email address.

# untested
my %addresses = (
loanofficer => 'loanofficer@mortgage-pros.com',
marketing => 'marketing@mortgage-pros.com',
broker => 'broker@mortgage-pros.com',
);

die "'$towhom' is not a valid email target"
unless exists $addresses{ $towhom };

$towhom = $addresses{ $towhom };


Now it can only be used to perform a denial-of-service attack
against those addresses. :-) errrr, that should be :-(

The multitasking and security concerns that go with the CGI are
no place for beginners.

Learn Perl first, learn CGI programming second.

> print SM "Subject: Comments from $name\n";

There must be a blank line between the headers and the body:

print SM "Subject: Comments from $name\n\n";

> print SM "$comments \n\n";
> close SM;

--
Tad McClellan SGML consulting
[email]tadmc@augustmail.com[/email] Perl programming
Fort Worth, Texas

[Tad McClellan]

Tom <tom@ztml.com> wrote:

> [email]mortgageloan2003@aol.com[/email] (Mortgageloan2003) wrote in message news:<20030908023513.10815.00000560@mb-m29.aol.com>...

>> I have a form below - I put a radio button for the person to select who they
>> want to email to instead of "hardcoding" this into the form. (thus the
>> spammers can't get my email addresses) the email addresses are set in the
>> script via an if elsif test. I run this on my Windows XP port of perl with the
>> -w and it simply can't find the path. I get an error 500 on the webserver. I

> .
> .

>> open(SM,"|/usr/sbin/sendmail -oi -t");

> .
> .
>
> Try this...
>
> open(SM,">/usr/sbin/sendmail") or die $!;

Do not try that.

It does not invoke any programs, it attempts to open/create a file.

It has nothing to do with your problem.

This answer is from the Twilight Zone...


--
Tad McClellan SGML consulting
[email]tadmc@augustmail.com[/email] Perl programming
Fort Worth, Texas

[Tad McClellan]

Mortgageloan2003 <mortgageloan2003@aol.com> wrote:

> I run this on my Windows XP port of perl with the
> -w and it simply can't find the path.

> open(SM,"|/usr/sbin/sendmail -oi -t");

Windows does not _have_ a program named sendmail.

You must use some other method of sending email.

(hint: perldoc -q mail )


--
Tad McClellan SGML consulting
[email]tadmc@augustmail.com[/email] Perl programming
Fort Worth, Texas

[James Willmore]

On 08 Sep 2003 06:35:13 GMT
[email]mortgageloan2003@aol.com[/email] (Mortgageloan2003) wrote:

> I have a form below - I put a radio button for the person to select
> who they want to email to instead of "hardcoding" this into the
> form. (thus the spammers can't get my email addresses) the email
> addresses are set in the script via an if elsif test. I run this on
> my Windows XP port of perl with the-w and it simply can't find the
> path. I get an error 500 on the webserver. I can't figure this out.
> I'm only a novice programmer. Any help is appreciated.

What shows up in the error server logs?

>
> Script:
>
> #!usr/bin/perl

add:
use strict;

> use CGI qw(param);
> $towhom= param("towhom");

change to:
my $towhom= param("towhom");

> $name= param("name");

change to:
my $name= param("name");

> $email= param("email");

change to:
my $email= param("email");

> $comments= param("comments");

change to:
my $comments= param("comments");

> if ($towhom eq "loanofficer") {
> $towhom = "loanofficer\@mortgage-pros.com";
> } elsif ($towhom eq "marketing") {
> $towhom="marketing\@mortgage-pros.com";
> } elsif ($towhom eq "broker") {
> $towhom="broker\@mortgage-pros.com";
> }
> open(SM,"|/usr/sbin/sendmail -oi -t");

You mention running this on a Windows XP platform. Is this valid for
your sendmail?

Just a suggestion - DO _NOT_ cut and paste code _unless_ you
understand _why_ you're cutting and pasting. My guess is that ... you
don't have sendmail on your system.

Check your web server error logs and see if they show what the error
is.

HTH

--
Jim

Copyright notice: all code written by the author in this post is
released under the GPL. [url]http://www.gnu.org/licenses/gpl.txt[/url]
for more information.

a fortune quote ...
Somebody ought to cross ball point pens with coat hangers so that
the pens will multiply instead of disappear.

[Tom]

[email]tadmc@augustmail.com[/email] (Tad McClellan) wrote in message news:<slrnblp0p4.ic0.tadmc@magna.augustmail.com>.. .

> Tom <tom@ztml.com> wrote:

> > .
> > .
> >
> > Try this...
> >
> > open(SM,">/usr/sbin/sendmail") or die $!;

>
>
> Do not try that.
>
> It does not invoke any programs, it attempts to open/create a file.
>
> It has nothing to do with your problem.
>
> This answer is from the Twilight Zone...

Sorry, I jump the gun. Perhaps you might want to try this...

#!/usr/bin/perl

use strict;
use Mail::sendMail;
use CGI qw(param);

print "Content-Type: text/html\n\n";

my $towhom = param("towhom");
my $name = param("name");
my $email = param("email");
my $comments = param("comments");

if($towhom eq "loanofficer")
{
$towhom = "loanofficer\@mortgage-pros.com";
}
elsif ($towhom eq "marketing")
{
$towhom="marketing\@mortgage-pros.com";
}
elsif ($towhom eq "broker")
{
$towhom="broker\@mortgage-pros.com";
}
my %mail = (
To => $towhom,
From => $email,
Subject => $name,
Message => $comments,
);

sendmail(%mail) or die $!;

print "Mail sent: $towhom";

-----------------------------

I hope this will meet your approval or otherwise, your next step is…

Tom
ztml.com

[John Bokma]

Tom wrote:

> #!/usr/bin/perl

add -w and -T

> use strict;
> use Mail::sendMail;
> use CGI qw(param);
>
> print "Content-Type: text/html\n\n";

Don't output your headers yourself, use CGI for this.

> my $towhom = param("towhom");
> my $name = param("name");
> my $email = param("email");
> my $comments = param("comments");
>
> if($towhom eq "loanofficer")
> {
> $towhom = "loanofficer\@mortgage-pros.com";
> }
> elsif ($towhom eq "marketing")
> {
> $towhom="marketing\@mortgage-pros.com";
> }
> elsif ($towhom eq "broker")
> {
> $towhom="broker\@mortgage-pros.com";
> }

and what if towhom = "me@somewhere.invalid" ?

my %towhoms = (
loanofficer => 'loanofficer@mortgage-pros.com',
marketing => .....,
....
);

(if the domain is always the same this can be simplified, left as an
excercise to the reader :-) )

my $safe_towhom = $towhoms{$towhom};

unless (defined $safe_towhom) {

*REPORT ERROR!*
}

Since it is unexpected report an error, *don't* fix unexpected things.

> my %mail = (
> To => $towhom,

$safe_towhom...

[snip]

> print "Mail sent: $towhom";

$safe_towhom....

--
Kind regards, feel free to mail: mail(at)johnbokma.com (or reply)
virtual home: [url]http://johnbokma.com/[/url] ICQ: 218175426
John web site hints: [url]http://johnbokma.com/websitedesign/[/url]

[Gunnar Hjalmarsson]

Tom wrote:

>
> #!/usr/bin/perl
>
> use strict;
> use Mail::sendMail;

------------^---^

What is that? Do you mean

use Mail::Sendmail;

--
Gunnar Hjalmarsson
Email: [url]http://www.gunnar.cc/cgi-bin/contact.pl[/url]

[Tad McClellan]

Tom <tom@ztml.com> wrote:

> [email]tadmc@augustmail.com[/email] (Tad McClellan) wrote in message news:<slrnblp0p4.ic0.tadmc@magna.augustmail.com>.. .

>> Tom <tom@ztml.com> wrote:

>> > .
>> > .
>> >
>> > Try this...
>> >
>> > open(SM,">/usr/sbin/sendmail") or die $!;

>>
>>
>> Do not try that.
>>
>> It does not invoke any programs, it attempts to open/create a file.
>>
>> It has nothing to do with your problem.
>>
>> This answer is from the Twilight Zone...

>
> Sorry, I jump the gun. Perhaps you might want to try this...

> use Mail::sendMail;

^
^

> if($towhom eq "loanofficer")
> {
> $towhom = "loanofficer\@mortgage-pros.com";
> }
> elsif ($towhom eq "marketing")
> {
> $towhom="marketing\@mortgage-pros.com";
> }
> elsif ($towhom eq "broker")
> {
> $towhom="broker\@mortgage-pros.com";
> }

> I hope this will meet your approval

Nope.

1) It will not compile (a prerequisite of approval).

2) It will function as a mail relay to any address in the whole wide world!


--
Tad McClellan SGML consulting
[email]tadmc@augustmail.com[/email] Perl programming
Fort Worth, Texas

[Gunnar Hjalmarsson]

Tad McClellan wrote:

> Tom <tom@ztml.com> wrote:

>> I hope this will meet your approval

>
> Nope.

<snip>

> 2) It will function as a mail relay to any address in the whole
> wide world!

With hardcoded addresses? How?

--
Gunnar Hjalmarsson
Email: [url]http://www.gunnar.cc/cgi-bin/contact.pl[/url]

[Alan J. Flavell]

On Tue, Sep 9, Gunnar Hjalmarsson inscribed on the eternal scroll:

> Tad McClellan wrote:

> > Tom <tom@ztml.com> wrote:

> >> I hope this will meet your approval

> >
> > Nope.

Disastrous. Fortunately it was prefaced with the sure-fire bogosity
alert, "try this". But I'm surprised you were taken-in by it.

> > 2) It will function as a mail relay to any address in the whole
> > wide world!

>
> With hardcoded addresses? How?

Look at it again. Properly. They're out to get you, so there's no
harm in applying a degree of paranoia.

At least, it has served as a clear demonstration of the inadvisability
of rolling one's own. All the mistakes have been made before, and
corrected, by better programmers than me.

The lack of warnings and taint checks might have helped as a
supplementary clue; some might have rated the use of a hand-rolled
content-type (without the very necessary charset! - see CA-2000-02)
despite invoking CGI.pm which knows how to do things properly; but -
most of all - the lack of any explanation WHY a particular thing was
being done in a particular way, and what particular dangers are
necessary to avoid. Just "try this", a lump of unadorned code, "like
it or lump it" as we say in our neck of the woods. Thus we would learn
nothing, and rate to do no more than propagate cargo-cult code, if we
follow such an example.

all the best

--
I am coming to the conclusion that, as the sum of human knowledge
increases, more and more people feel overwhelmed by the sheer mass of
it, and cope with the problem by metaphorically pulling the bedcovers
over their heads and refusing to know anything at all. - Sue on uk.railway

[John Bokma]

Gunnar Hjalmarsson wrote:

> Tad McClellan wrote:
>

>> Tom <tom@ztml.com> wrote:
>>

>>> I hope this will meet your approval

>>
>>
>> Nope.

>
>
> <snip>
>

>> 2) It will function as a mail relay to any address in the whole
>> wide world!

>
>
> With hardcoded addresses? How?

there is no final "else"


--
Kind regards, feel free to mail: mail(at)johnbokma.com (or reply)
virtual home: [url]http://johnbokma.com/[/url] ICQ: 218175426
John web site hints: [url]http://johnbokma.com/websitedesign/[/url]

[Gunnar Hjalmarsson]

John Bokma wrote:

> Gunnar Hjalmarsson wrote:

>> Tad McClellan wrote:

>>> 2) It will function as a mail relay to any address in the whole
>>> wide world!

>>
>> With hardcoded addresses? How?

>
> there is no final "else"

Aha. Thanks!

--
Gunnar Hjalmarsson
Email: [url]http://www.gunnar.cc/cgi-bin/contact.pl[/url]

[Tom]

[email]tadmc@augustmail.com[/email] (Tad McClellan) wrote in message news:<slrnblpvn3.jjh.tadmc@magna.augustmail.com>.. .
..
..

> > I hope this will meet your approval

>
>
> Nope.
>
> 1) It will not compile (a prerequisite of approval).
>
> 2) It will function as a mail relay to any address in the whole wide world!

..
..

All right, one more time...

#!/usr/bin/perl

use strict;
use Mail::Sendmail;
use CGI qw(:standard);

print header("text/html");

my $towhom = param("towhom");
my $name = param("name");
my $email = param("email");
my $comments = param("comments");

my %towhoms = (
loanofficer => 'loanofficer@mortgage-pros.com',
marketing => 'marketing@mortgage-pros.com',
broker => 'broker@mortgage-pros.com',
);
my $safe_towhom = $towhoms{$towhom};
if(!$safe_towhom)
{
print start_html("ERROR"),
p("Sorry, your message was not sent because $towhom is not in our mailing list.");
}
else
{
my %mail = (
To => $safe_towhom,
From => $email,
Subject => $name,
Message => $comments,
);
sendmail(%mail) or die $!;

print start_html("Sendmail"),
p("Thank you, your message has been sent to $towhom.");
}
print end_html;

-------------------------------

If this does not meet your approval, next stop... PERL 101 :(

Tom
ztml.com

[John Bokma]

PERL 101

Tom wrote:

> [email]tadmc@augustmail.com[/email] (Tad McClellan) wrote in message news:<slrnblpvn3.jjh.tadmc@magna.augustmail.com>.. .
> .
> .
>

>>>I hope this will meet your approval

>>
>>
>>Nope.
>>
>>1) It will not compile (a prerequisite of approval).
>>
>>2) It will function as a mail relay to any address in the whole wide world!

>
> .
> .
>
> All right, one more time...
>
> #!/usr/bin/perl

add -wT

> use strict;
> use Mail::Sendmail;
> use CGI qw(:standard);
>
> print header("text/html");

I don't know if this outputs XHTML and how which header it spits out to
a browser that wants XML.

[snip]

> if(!$safe_towhom)

shouldn't that be a test for definedness?

unless (defined $safe_towhom) {

Also I recommend using unless instead of !
IMHO it makes code more readable

> {
> print start_html("ERROR"),
> p("Sorry, your message was not sent because $towhom is not in our mailing list.");

why not end_html here as well and exit; ?

> }

so you can remove the else and { } which, again IMHO makes the code more
readable.

Also, it is the main (or normal) flow of your program. The unless
defined handles a special case, an exception.

> print start_html("Sendmail"),
> p("Thank you, your message has been sent to $towhom.");
> }
> print end_html;

so the end_html could be put together with the print start_ ...

--
Kind regards, feel free to mail: mail(at)johnbokma.com (or reply)
virtual home: [url]http://johnbokma.com/[/url] ICQ: 218175426
John web site hints: [url]http://johnbokma.com/websitedesign/[/url]

[William Alexander Segraves]

"Tom" <tom@ztml.com> wrote in message
news:59b4279a.0309081727.2ac8e787@posting.google.c om...

> [email]tadmc@augustmail.com[/email] (Tad McClellan) wrote in message

news:<slrnblpvn3.jjh.tadmc@magna.augustmail.com>.. .

> .
> .

> > > I hope this will meet your approval

> >

<snip>

>
> If this does not meet your approval, next stop... PERL 101 :(

Perl 101.

Tom, even though you've crafted a way to limit the addressees to a limited
set, you are still allowing user-supplied iput to pass unfiltered in other
fields.

Do a Google search for "cgiemail %0A bug" to see the exploit to which your
script is or may be vulnerable. With a simple test on my own system, I was
able to send E-mail to myself with name=%0ACC:my-email-address, proving your
script is vulnerable (at least when it is employed locally to send mail
though my ISP's SMTP server.

You may wish to examine Gunnar H's contact script for ways to prevent this
vulnerability.

Cheers.

Bill Segraves

P.S. Fortunately for you, your script appears to be broken at the "real"
site you revealed in your message. Lesson here: Don't use real sites for
your samples.

[William Alexander Segraves]

"Gunnar Hjalmarsson" <noreply@gunnar.cc> wrote in message
news:bjj0qq$j5lge$1@ID-184292.news.uni-berlin.de...

> Tad McClellan wrote:

<snip>

> > 2) It will function as a mail relay to any address in the whole
> > wide world!

>
> With hardcoded addresses? How?

Hi, Gunnar.

Remember the discussion we had on the "%0A exploit"? I'm not sure if this is
the problem to which Tad had referred; but Tom's script appears to allow
said exploit.

Cheers.

Bill Segraves

[Gunnar Hjalmarsson]

William Alexander Segraves wrote:

> "Gunnar Hjalmarsson" <noreply@gunnar.cc> wrote in message
> news:bjj0qq$j5lge$1@ID-184292.news.uni-berlin.de...

>> Tad McClellan wrote:

>>> 2) It will function as a mail relay to any address in the whole
>>> wide world!

>>
>> With hardcoded addresses? How?

>
> Remember the discussion we had on the "%0A exploit"? I'm not sure
> if this is the problem to which Tad had referred; but Tom's script
> appears to allow said exploit.

Yes, you are probably right about that. Furthermore, Tom's first
script makes it also possible to submit any address directly in the
'towhom' field.

I just gave it a quick glance before asking the above question
yesterday, and only after John had pointed it out, my eyes were really
opened. ;-)

--
Gunnar Hjalmarsson
Email: [url]http://www.gunnar.cc/cgi-bin/contact.pl[/url]

[Gunnar Hjalmarsson]

William Alexander Segraves wrote:

> Tom, even though you've crafted a way to limit the addressees to a
> limited set, you are still allowing user-supplied iput to pass
> unfiltered in other fields.
>
> Do a Google search for "cgiemail %0A bug" to see the exploit to
> which your script is or may be vulnerable. With a simple test on my
> own system, I was able to send E-mail to myself with
> name=%0ACC:my-email-address, proving your script is vulnerable (at
> least when it is employed locally to send mail though my ISP's SMTP
> server.
>
> You may wish to examine Gunnar H's contact script for ways to
> prevent this vulnerability.

My ContactForm module is available at
[url]http://search.cpan.org/author/GUNNAR/[/url]

--
Gunnar Hjalmarsson
Email: [url]http://www.gunnar.cc/cgi-bin/contact.pl[/url]