Lunarpages Web Hosting Forum

Scripting Languages Hosting Help => C++ / PERL / CGI Support => Topic started by: DJReda on February 27, 2004, 05:52:11 PM

Title: In need of form help
Post by: DJReda on February 27, 2004, 05:52:11 PM
Hi guys and girls,

I'm in need of some help from the experts!
I am familiar with HTML and Frontpage but cgi and the others are greek to me.

What I'm looking to do is create a few forms for various parts of my site in which a user would fill in information in provided fields (Text, checkboxes, dropsdowns etc) and I'm LOST!  :(  :(

Is there somewhere that I can get a base template to work with? But the problem is I wouldn't know where or what to put as "actions or submits" to have the form emailed to me with the users input.

I tried the cgi icon in the CPanel and tried to follow the instructions but I'm still lost - PLEASE HELP!  :cry:

Thanks everyone!

Dominick...
Title: In need of form help
Post by: stapel on February 29, 2004, 01:41:09 PM
You have to use the Matt Wright formail emulator found here:

http://nms-cgi.sourceforge.net/scripts.shtml

Lunarpages will not allow you to use any other script (according to what Support has told me), which I would have to assume includes the one in the CGI folder in cPanel. There doesn't appear to be much documentation or support, so definitely read the "Readme" file. If you do the settings incorrectly, this script will be as insecure as the original Matt Wright "formail" script, which would be a very bad thing (for you; great for the spammers who would hijack your account).

Eliz.
Title: In need of form help
Post by: TWebMan on March 01, 2004, 08:35:11 AM
Or try:
http://twebman.lunarpages.com/perl/
Title: In need of form help
Post by: Danielle on March 01, 2004, 08:39:00 AM
Hi TWebMan,

Actually, the new policy is that other scripts aren't allowed for formmail due to the numerous exploited scripts we have had for other formmail versions.  Thus, we aren't able to recommend ones other than nms currently, with the link being:

http://nms-cgi.sourceforge.net/scripts.shtml

Sorry about any misunderstanding on the matter.

Thanks
Title: In need of form help
Post by: TWebMan on March 01, 2004, 08:47:52 AM
OK no problem I'll stop offering my script here.  But it's never been hijacked, fyi :)

The others, I believe, all have, at one point or another.

Sometimes efficiency is in simplicity.  Since there's no recipient variable in my script, it's not possible to use it to send mail to anybody but the one recipient that's hardcoded into the script-right in the sendmail command.

All the others still use variables.  If it's not protected in a private object, a var can be changed.  Since perl is not OOP, you can't protect variables.

Best course of action, don't use one!  ;)  That's what I do.

I've already fooled both the latest formmail and BNB script.  I'll demonstrate to the staff, if you like, how easy it is to fool these scripts.  Once you're in, if the recipient is a variable, you're all set.  Plug in 10, 100, 1000 recipients and you're off.

Seems what they've done is pile checkpoints into the script.  What I've done is simply hardcode the simple recipient (with a couple important checkpoints also).

If someone manages to fool my script, the result is the single recipient will receive a spam message.  One email sent :)
Title: In need of form help
Post by: stapel on March 01, 2004, 08:59:48 AM
TWebMan: I had changed the BNBForm script so that the recipient was designated as, say, "webmaster", with the actual e-mail hard-coded into the script. That is, the script took the variable "webmaster" and inserted the hard-coded address. How does this differ from what your script does, other than allowing for variable recipients?

Thank you.

Eliz.
Title: In need of form help
Post by: TWebMan on March 01, 2004, 09:03:37 AM
Where does the email addy start, in the script?  That's more secure.  What would happen if you sent a post to that script with a hidden field called webmaster, with 1000 email addresses in it, separated by commas?
Title: In need of form help
Post by: stapel on March 01, 2004, 09:09:06 AM
TWebMan: I'm not sure what you mean. The "value" of the hidden field "submit_to" is set as "webmaster". Within the CGI, "webmaster" is mapped to a hard-coded e-mail address. How would that be converted to a thousand e-mail addresses? Are you saying that the hacker can edit the CGI script to change the hard-coded addresses? If so, how could any script be secure?

Thank you.

Eliz.
Title: In need of form help
Post by: TWebMan on March 01, 2004, 09:13:21 AM
No, they can't be hardcoded in.  When a form post comes in with the same name as a variable, though, that variable can be overwritten with the value of the form post....depending where that var is in the script.

I'm sure they're not going to put it somewhere it can be changed, under normal circumstances, but a spammer may find the right combination in a query string or form to overwrite that variable with the incoming form field.
Title: In need of form help
Post by: stapel on March 01, 2004, 09:20:28 AM
TWebMan: So hard-coding doesn't really matter, since any script value can be overwritten? Yeesh! Since scripted form-handlers can be hacked, and since "mailto" links are out of the question, how then can we have users contact us?

Thank you.

Eliz.
Title: In need of form help
Post by: TWebMan on March 01, 2004, 09:31:04 AM
No, no, variables can be overwritten.  It's the hard coding that can't be overwritten.
Title: In need of form help
Post by: stapel on March 01, 2004, 09:59:45 AM
TWebMan: I'm sorry, but won't any script have variables? (For instance, the message being sent should not be fixed in advance, should it?) Also, I don't understand how changing the variable in the "submit_to" field of the HTML form would help the hacker, since the script would then not recognize the variable and would have no e-mail address (from the hard-coded list) to which to map the new variable.

Thank you.

Eliz.
Title: In need of form help
Post by: Neco on March 01, 2004, 10:45:03 AM
While in the traditional programming sense, a variable is anything that holds data,  in the web sense, a variable is usually reffered to as data that is  modified by user input.

If you can't modify the hard-coded  email address, you can't change it.  Since the address is hard-coded and does not require any input fromt he user, in theory it should be secure.

Think of it as a stop sign vs a traffic light.

When you plant a stop sign, it means stop. You must always stop. You can do nothing at that sign but stop, or you are breaking the law.

When you come to a stop light you have more options.  

Red - you must stop.
Yellow - you must slow down and be prepared to stop.
Green - you may pass through.

When someone hijacks a scripts variable, they may want to change the stop light so that instead of the stop light turning "red" (mail to  fixed@domain.com)  it turns green instead  (mail to  "list of addresses to spam @ domains.com)

I hope I explained this right

lol  =\
Title: In need of form help
Post by: stapel on March 01, 2004, 10:51:50 AM
Neco: I can understand if the variable were "send_to_addy@domain.com", so the e-mail address is in the HTML script and is sent as a variable to the script. But in my case, the variable was "send_to_designated_recipient", which the script then mapped to a hard-coded address. That is, the script read "designated_recipient" and processed "hard_coded_addy@domain.com". I'm hearding that this hard-coding can be replaced, so the variable sent would be "send_to_hacker_new_variable", and the script would somehow map this to "hack_addy_1@hacker.com", "hacker_addy_2@hacker.com", etc, etc. I guess this is what I'm not understanding: how the hard-coding can be overcome.

It is occasions like this that make me I wish I had the time not to be so ignorant....

Thank you.

Eliz.
Title: In need of form help
Post by: Neco on March 01, 2004, 10:54:06 AM
Think I better leave the rest to Twebman, I might learn something myself, heh.
Title: In need of form help
Post by: Ed on March 01, 2004, 01:13:04 PM
Did you want to post the lines of code that send the message? You have to hardcode all the headers to secure it.

- Ed
Title: In need of form help
Post by: trebormojo on March 01, 2004, 01:39:46 PM
so is Twebman's scripts secure or not? I was using one and they cut it off, so what's the deal?
Title: In need of form help
Post by: stapel on March 01, 2004, 01:40:37 PM
Kata: The HTML coding included:
Code: [Select]
<input type="hidden" name="submit_to" value="webmaster">
The script then checked this value against a list (array?) and read a hard-coded e-mail address into the process:

Code: [Select]
 %addy_list = ("webmaster", "default\@yourdomain.com");
Later in the code, this list of hard-coded addresses (there can be more than one) is read into an array used for addressing the posted message:

Code: [Select]
   if ($key eq "submit_to") {
       $content=~s/\012//g;
       $content=~s/\015//g;
       $content=~s/ //g;
       @recipients=split(/,/,$addy_list{$content});

I think this is the bit of coding that does the actual mailing:

Code: [Select]
sub write_data
{

   if ($fields{'submit_by'} ne "") {
       if (&valid_address == 0) {
          &bad_email;
          exit;
       }
   }
   
   if ($fields{'submit_by'} ne "" && $fields{'emailfile'} ne "") {
      open (EMF,">>$fields{'emailfile'}");
      print EMF "$fields{'submit_by'}\n";
      close (EMF);
   }

   if ($fields{'submit_to'} ne "") {
     $msgtext="";
     $msgtext .= "On $SD at $ST,\n";
     $msgtext .=  "The following information was submitted:\n";
     $msgtext .=  "From Host: $ENV{'REMOTE_ADDR'}\n";
   }

   if ($fields{'outputfile'} ne "") {
      &get_the_lock;
      open(OUT_FILE,">>$fields{'outputfile'}");
   }

   foreach $to_print (@sortlist) {
      if ($fields{'outputfile'} ne "")
       { print OUT_FILE "$fields{$to_print}\|"; }
      if ($fields{'submit_to'} ne "")
       { $msgtext .= "$to_print = $fields{$to_print}\n"; }
   }
   if ($fields{'outputfile'} ne "") {
     print OUT_FILE "$SD\|$ST\|\n";
     close(OUT_FILE);
     &drop_the_lock;
   }

   foreach $to_get (@recipients) {
      $mailresult=&sendmail($fields{submit_by}, $fields{submit_by}, $to_get, $SMTP_SERVER, $fields{form_id}, $msgtext);
      if ($mailresult ne "1") {
       print "Content-type: text/html\n\n";
       print "MAIL NOT SENT. SMTP ERROR: $mailcodes{'$mailresult'}\n";
       exit
      }
    }
   foreach $to_cc (@cc_tos) {
      $mailresult=&sendmail($fields{submit_by}, $fields{submit_by}, $to_cc, $SMTP_SERVER, $fields{form_id}, $msgtext);
      if ($mailresult ne "1") {
       print "Content-type: text/html\n\n";
       print "MAIL NOT SENT. SMTP ERROR: $mailcodes{'$mailresult'}\n";
       exit
      }
    }

}


Thank you.

Eliz.
Title: In need of form help
Post by: stapel on March 01, 2004, 01:47:34 PM
trebormojo: According to this recent post:

http://www.lunarforums.com/forum/viewtopic.php?t=12050&start=15

...the TWebMan script is very exploitable, and its use has been banned. You have to use the Matt Wright script.

Hope that helps.

Eliz.
Title: In need of form help
Post by: trebormojo on March 01, 2004, 02:36:14 PM
Does the program LP is using to find the exploitable scripts find every one? It only flagged my Twebman script, but not some others I had that were from a "EZ Form Mailer" not "EZ Formmail"

However, they are under a subdomain with its own cgi directory - does that matter? I took them off and uploaded a copy to the helpdesk under my post. I want to fix this problem just as much as LP.

I'm probably just wasting more time on the forum than if I just remade all my scripts with the secure one :/
Title: In need of form help
Post by: trebormojo on March 01, 2004, 04:36:27 PM
BTW that sourceforge script is really great and powerful! Thanks LP!!!
Title: In need of form help
Post by: Ed on March 01, 2004, 04:44:19 PM
The program they used is somethign written in house I beleive. Its custom developed to pick up the currently known easily exploitable ones.

- Ed
Title: In need of form help
Post by: Ed on March 01, 2004, 04:47:55 PM
Stapel - the matt wright script is the top explitable script. You want to use the nms-cgi script (NMS stands for not matt wright). :-)

If there is a from variable in the script (the message appears to be from the user that submitted the form) then yes, there is a potential exploit which I detailed on the page explaining twebs script.

- Ed
Title: In need of form help
Post by: stapel on March 01, 2004, 05:47:13 PM
Kata: I know. I've never used the Matt Wright script, and feel very nervous about using a Matt Wright emulator that the author describes as "rough and ready" and "a work in progress", and the documentation warns can be set up to be at least as insecure as the original.

Would Lunarpages object, do you think, to people trying the other script that Dave Cross offers? Because I would just really like to stay away from the Matt Wright Archive family of scripts.

Thank you.

Eliz.
Title: In need of form help
Post by: Ed on March 01, 2004, 05:50:17 PM
I think they shouldn't have an issue with any of the nms-cgi scripts.

Though I can't give you a final word "official" response on that as I dont actually work for LP. You would have to email support@ for that.

- Ed
Title: In need of form help
Post by: GirlGamerJae on March 01, 2004, 06:24:13 PM
Quote from: stapel
trebormojo: According to this recent post:

http://www.lunarforums.com/forum/viewtopic.php?t=12050&start=15

...the TWebMan script is very exploitable, and its use has been banned. You have to use the Matt Wright script.

Hope that helps.

Eliz.


The Matt Wright script is exploitable too.... so it isn't that script either.
Title: In need of form help
Post by: Ed on March 01, 2004, 06:38:35 PM
The matt wright is the original exploited one. The NMS is the secure one to replace that.

- Ed
Title: In need of form help
Post by: Spinner on March 01, 2004, 09:10:23 PM
I have a bit of a problem with this talk of exploitable scripts.

Im not going to get technical but every script can be exploited..even the ones we are calling "secure".

I appreciate the proactive response that Lunarpages is taking here but I feel that it's impossible to stop this kind of thing..and these are just stopgap measures.
Title: In need of form help
Post by: Ed on March 01, 2004, 09:40:49 PM
Lunarpages is acting on what you can easily classify as "easily exploitable" Yes, in theory you could argue that everythign is exploitable, but some things are brutally easy to exploit. For example, I coudl post a few lines of code that would allow you to use another users formmail installation to send out email to whoever you want.

Those ones are being exploited so often, and causing a lot of negative effects for LP - effects that could threaten that LP will be added to a black list of webhosts. An action that would threaten that ability of all their customers to send email to other people on the net. They are in a position where they MUST get rid of the easily exploited scripts to save their own reputation on the net.

I"m not saying they are having issues with being threatened to be added, but a lack of action could result in that.

- Ed
(This is just my personal opinion, not an 'official' post/response)
Title: In need of form help
Post by: Spinner on March 01, 2004, 09:48:35 PM
Quote
Lunarpages is acting on what you can easily classify as "easily exploitable" Yes, in theory you could argue that everythign is exploitable, but some things are brutally easy to exploit. For example, I coudl post a few lines of code that would allow you to use another users formmail installation to send out email to whoever you want.


I understand that and I commend Lunarpages for doing it. I have been hosted by and worked for companies that didn't give a damn about this sort of thing and it's quite impressive to see Lunarpages taking this type of action.

I also agree with the actions Lunarpages is taking (as far as not allowing a lot of these scripts) and I think it's something a lot of other hosting providers should do. I think it's an issue that all "webmasters" should pay close attention to. These issues are not going to go away any time soon. I see it every day (I teach webdev classes). I stress the importance of security but more often than not, it's like I am talking to a wall. Eh, Im a bit jaded I guess.

In any case, thanks for the reply.
Title: In need of form help
Post by: TWebMan on March 02, 2004, 05:34:04 AM
Quote from: Kata
...(NMS stands for not matt wright)...


That's hilareous!  Heheh never saw that or made the connection.  Is it on their page?
Title: In need of form help
Post by: psmsmith on March 02, 2004, 06:28:36 AM
We have been trying all week to fix this form mail problem.   Can someone please help as soon as possible.   I've tried working with tech support.  The first person I talked to told me to use the TWE.. script, so we did.  (I also saw it recommended here.)  Then shortly after we got it working, tech support again disabled us.  We are having a problem getting the recommended one working and we don't have anyone that knows this language or how to fix it.
The last e-mail from tech support said they can see what the program is doing, but they did not help by telling us what we can do to fix it.  We are going on a week now of people that need our help that are having difficulty contacting us, so as soon as anyone can help it will be very appreciated.  

Our form mail page is:
http://www.lewybodydementia.org/contact.html

The script we are trying to get working is:
/www/contact.html
/www/cgi-bin/helpline.pl  (recommended script renamed)

Thank you.
Peggy
Title: In need of form help
Post by: Ed on March 02, 2004, 08:04:32 AM
Well.. its amazing how fast people learn when their webhost gets blacklisted and they find they are no longer able to send emails to a large percentages of internet users!  :o
Title: In need of form help
Post by: Ed on March 02, 2004, 08:06:36 AM
psmsmith,
The best thing to do in your case would be to email support@lunarpages.com show them your post here, and explain that the correct installation is getting nailed as "insecure" even though it was recommended. They should be able to assist you, or rework the detection algorithm to pass by the script.

- Ed
Title: In need of form help
Post by: psmsmith on March 02, 2004, 08:28:58 AM
psmsmith ,
The best thing to do in your case would be to email support@lunarpages.com show them your post here, and explain that the correct installation is getting nailed as "insecure" even though it was recommended. They should be able to assist you, or rework the detection algorithm to pass by the script.

Ed,
- Thanks for responding, yes, I have e-mailed them once again, just prior to posting my original message to this forum, and am still waiting on a reply.  
- What tech support recommended early in the week was the TWebman script, which they are now saying we cannot use it, and have disabled it.
We are trying to use the latest recommendation, but have programming errors, and we don't know this Perl language.   Is there a programmer here on the forum that could look at it and help us resolve the errors??  
- Tech support's latest response was, yes there is an error and described the error, but they did not offer help in fixing it.    
- If there is anyone that is willing to help us, please contact me at uspms@yahoo.com.  What we are trying to do is not complex, and someone that knows this could probably help fix it quickly.  

Thank you,
Peggy
Title: In need of form help
Post by: Ed on March 02, 2004, 08:57:41 AM
Are you getting some kind of error, other than 500 internal server error?

If so, could you paste the error in here, and possible a link to the form? The people that are often on the forums will be able to assist you. I will take a look at it later tonight when I get a free minute if its still not resolved.

- Ed
Title: In need of form help
Post by: psmsmith on March 02, 2004, 09:26:17 AM
Ed,
The following link is our online form, from where you should also be able to view the source HTML we are using:  
http://www.lewybodydementia.org/contact.html
Below is a copy of the configuration section we modified of the recommended "NMS FormMail Version 3.11c1".
Thanks again,
Peggy

# USER CONFIGURATION SECTION
# --------------------------
# Modify these to your own settings. You might have to
# contact your system administrator if you do not run
# your own web server. If the purpose of these
# parameters seems unclear, please see the README file.
#
BEGIN
{
  $DEBUGGING         = 0;
  $emulate_matts_code= 1;
  $secure            = 1;
  $allow_empty_ref   = 1;
  $max_recipients    = 1;
  $mailprog          = '/usr/lib/sendmail -oi -t';
  $postmaster        ='lbdinfo@lewybodydementia.org';
  @referers          = qw(lewybodydementia.org);
  @allow_mail_to     = qw(lbdinfo@lewybodydementia.org localhost);
  @recipients        = ();
  %recipient_alias   = ();
  @valid_ENV         = qw(REMOTE_HOST REMOTE_ADDR REMOTE_USER HTTP_USER_AGENT);
  $locale            = '';
  $charset           = 'iso-8859-1';
  $date_fmt          = '%A, %B %d, %Y at %H:%M:%S';
  $style             = '/css/nms.css';
  $no_content        = 0;
  $double_spacing    = 1;
  $wrap_text         = 0;
  $wrap_style        = 1;
  $send_confirmation_mail = 0;
  $confirmation_text = <<'END_OF_CONFIRMATION';
From: lbdinfo@lewybodydementia.org
Subject: form submission

Thank you for your form submission.

END_OF_CONFIRMATION
Title: In need of form help
Post by: psmsmith on March 02, 2004, 09:29:51 AM
Ed,
Forgot to add that our error is as follows, and it occurs when all fields are entered and the form is submitted.  
Thanks,
Peggy

--------------------------------
The following fields were left blank in your submission form:
subject
These fields must be filled in before you can successfully submit the form.
Please use your back button to return to the form and try again.
-----------------------------------
Title: In need of form help
Post by: Ed on March 02, 2004, 11:36:17 AM
Your got an error in your HTML code:

<tr><td>Message:</td><td><textarea cols="40" rows="10" name="Message" </textarea></td></tr>

Should be:

<tr><td>Message:</td><td><textarea cols="40" rows="10" name="Message"></td></tr>

As a result the whole form isnt' correctly showing up.

Try that.

- Ed
Title: In need of form help
Post by: psmsmith on March 02, 2004, 01:24:58 PM
Quote from: Kata
Your got an error in your HTML code:
Should be:
<tr><td>Message:</td><td><textarea cols="40" rows="10" name="Message"></td></tr>
As a result the whole form isnt' correctly showing up.
Try that.
- Ed


Hi Ed,
Thanks, I tried your suggestion but received the same error message as before.  I since have been successful in eliminating the error by removing the word  'subject' from the 'required' fields parameter.   However, we really would like this to be a required field.  

Does anyone know if/how we could fix this?

Thanks,
Peggy