Lunarpages Web Hosting Forum

Author Topic: In need of form help  (Read 5784 times)

Offline Ed

  • Berserker Poster
  • *****
  • Posts: 5156
    • Joke A Whenever
In need of form help
« Reply #15 on: March 01, 2004, 01:13:04 PM »
Did you want to post the lines of code that send the message? You have to hardcode all the headers to secure it.

- Ed

Offline trebormojo

  • Galactic Royalty
  • *****
  • Posts: 254
    • http://www.arts-design-team.com
In need of form help
« Reply #16 on: March 01, 2004, 01:39:46 PM »
so is Twebman's scripts secure or not? I was using one and they cut it off, so what's the deal?

Offline stapel

  • Galactic Royalty
  • *****
  • Posts: 491
In need of form help
« Reply #17 on: March 01, 2004, 01:40:37 PM »
Kata: The HTML coding included:
Code: [Select]
<input type="hidden" name="submit_to" value="webmaster">
The script then checked this value against a list (array?) and read a hard-coded e-mail address into the process:

Code: [Select]
 %addy_list = ("webmaster", "default\@yourdomain.com");
Later in the code, this list of hard-coded addresses (there can be more than one) is read into an array used for addressing the posted message:

Code: [Select]
   if ($key eq "submit_to") {
       $content=~s/\012//g;
       $content=~s/\015//g;
       $content=~s/ //g;
       @recipients=split(/,/,$addy_list{$content});

I think this is the bit of coding that does the actual mailing:

Code: [Select]
sub write_data
{

   if ($fields{'submit_by'} ne "") {
       if (&valid_address == 0) {
          &bad_email;
          exit;
       }
   }
   
   if ($fields{'submit_by'} ne "" && $fields{'emailfile'} ne "") {
      open (EMF,">>$fields{'emailfile'}");
      print EMF "$fields{'submit_by'}\n";
      close (EMF);
   }

   if ($fields{'submit_to'} ne "") {
     $msgtext="";
     $msgtext .= "On $SD at $ST,\n";
     $msgtext .=  "The following information was submitted:\n";
     $msgtext .=  "From Host: $ENV{'REMOTE_ADDR'}\n";
   }

   if ($fields{'outputfile'} ne "") {
      &get_the_lock;
      open(OUT_FILE,">>$fields{'outputfile'}");
   }

   foreach $to_print (@sortlist) {
      if ($fields{'outputfile'} ne "")
       { print OUT_FILE "$fields{$to_print}\|"; }
      if ($fields{'submit_to'} ne "")
       { $msgtext .= "$to_print = $fields{$to_print}\n"; }
   }
   if ($fields{'outputfile'} ne "") {
     print OUT_FILE "$SD\|$ST\|\n";
     close(OUT_FILE);
     &drop_the_lock;
   }

   foreach $to_get (@recipients) {
      $mailresult=&sendmail($fields{submit_by}, $fields{submit_by}, $to_get, $SMTP_SERVER, $fields{form_id}, $msgtext);
      if ($mailresult ne "1") {
       print "Content-type: text/html\n\n";
       print "MAIL NOT SENT. SMTP ERROR: $mailcodes{'$mailresult'}\n";
       exit
      }
    }
   foreach $to_cc (@cc_tos) {
      $mailresult=&sendmail($fields{submit_by}, $fields{submit_by}, $to_cc, $SMTP_SERVER, $fields{form_id}, $msgtext);
      if ($mailresult ne "1") {
       print "Content-type: text/html\n\n";
       print "MAIL NOT SENT. SMTP ERROR: $mailcodes{'$mailresult'}\n";
       exit
      }
    }

}


Thank you.

Eliz.

Offline stapel

  • Galactic Royalty
  • *****
  • Posts: 491
In need of form help
« Reply #18 on: March 01, 2004, 01:47:34 PM »
trebormojo: According to this recent post:

http://www.lunarforums.com/forum/viewtopic.php?t=12050&start=15

...the TWebMan script is very exploitable, and its use has been banned. You have to use the Matt Wright script.

Hope that helps.

Eliz.

Offline trebormojo

  • Galactic Royalty
  • *****
  • Posts: 254
    • http://www.arts-design-team.com
In need of form help
« Reply #19 on: March 01, 2004, 02:36:14 PM »
Does the program LP is using to find the exploitable scripts find every one? It only flagged my Twebman script, but not some others I had that were from a "EZ Form Mailer" not "EZ Formmail"

However, they are under a subdomain with its own cgi directory - does that matter? I took them off and uploaded a copy to the helpdesk under my post. I want to fix this problem just as much as LP.

I'm probably just wasting more time on the forum than if I just remade all my scripts with the secure one :/

Offline trebormojo

  • Galactic Royalty
  • *****
  • Posts: 254
    • http://www.arts-design-team.com
In need of form help
« Reply #20 on: March 01, 2004, 04:36:27 PM »
BTW that sourceforge script is really great and powerful! Thanks LP!!!

Offline Ed

  • Berserker Poster
  • *****
  • Posts: 5156
    • Joke A Whenever
In need of form help
« Reply #21 on: March 01, 2004, 04:44:19 PM »
The program they used is somethign written in house I beleive. Its custom developed to pick up the currently known easily exploitable ones.

- Ed

Offline Ed

  • Berserker Poster
  • *****
  • Posts: 5156
    • Joke A Whenever
In need of form help
« Reply #22 on: March 01, 2004, 04:47:55 PM »
Stapel - the matt wright script is the top explitable script. You want to use the nms-cgi script (NMS stands for not matt wright). :-)

If there is a from variable in the script (the message appears to be from the user that submitted the form) then yes, there is a potential exploit which I detailed on the page explaining twebs script.

- Ed

Offline stapel

  • Galactic Royalty
  • *****
  • Posts: 491
In need of form help
« Reply #23 on: March 01, 2004, 05:47:13 PM »
Kata: I know. I've never used the Matt Wright script, and feel very nervous about using a Matt Wright emulator that the author describes as "rough and ready" and "a work in progress", and the documentation warns can be set up to be at least as insecure as the original.

Would Lunarpages object, do you think, to people trying the other script that Dave Cross offers? Because I would just really like to stay away from the Matt Wright Archive family of scripts.

Thank you.

Eliz.

Offline Ed

  • Berserker Poster
  • *****
  • Posts: 5156
    • Joke A Whenever
In need of form help
« Reply #24 on: March 01, 2004, 05:50:17 PM »
I think they shouldn't have an issue with any of the nms-cgi scripts.

Though I can't give you a final word "official" response on that as I dont actually work for LP. You would have to email support@ for that.

- Ed

Offline GirlGamerJae

  • Galactic Royalty
  • *****
  • Posts: 358
In need of form help
« Reply #25 on: March 01, 2004, 06:24:13 PM »
Quote from: stapel
trebormojo: According to this recent post:

http://www.lunarforums.com/forum/viewtopic.php?t=12050&start=15

...the TWebMan script is very exploitable, and its use has been banned. You have to use the Matt Wright script.

Hope that helps.

Eliz.


The Matt Wright script is exploitable too.... so it isn't that script either.
"Music washes away from the soul the dust of everyday life."
-quote from Berthold Auerbach, Author

Offline Ed

  • Berserker Poster
  • *****
  • Posts: 5156
    • Joke A Whenever
In need of form help
« Reply #26 on: March 01, 2004, 06:38:35 PM »
The matt wright is the original exploited one. The NMS is the secure one to replace that.

- Ed

Offline Spinner

  • Spacescooter Operator
  • *****
  • Posts: 48
In need of form help
« Reply #27 on: March 01, 2004, 09:10:23 PM »
I have a bit of a problem with this talk of exploitable scripts.

Im not going to get technical but every script can be exploited..even the ones we are calling "secure".

I appreciate the proactive response that Lunarpages is taking here but I feel that it's impossible to stop this kind of thing..and these are just stopgap measures.

Offline Ed

  • Berserker Poster
  • *****
  • Posts: 5156
    • Joke A Whenever
In need of form help
« Reply #28 on: March 01, 2004, 09:40:49 PM »
Lunarpages is acting on what you can easily classify as "easily exploitable" Yes, in theory you could argue that everythign is exploitable, but some things are brutally easy to exploit. For example, I coudl post a few lines of code that would allow you to use another users formmail installation to send out email to whoever you want.

Those ones are being exploited so often, and causing a lot of negative effects for LP - effects that could threaten that LP will be added to a black list of webhosts. An action that would threaten that ability of all their customers to send email to other people on the net. They are in a position where they MUST get rid of the easily exploited scripts to save their own reputation on the net.

I"m not saying they are having issues with being threatened to be added, but a lack of action could result in that.

- Ed
(This is just my personal opinion, not an 'official' post/response)

Offline Spinner

  • Spacescooter Operator
  • *****
  • Posts: 48
In need of form help
« Reply #29 on: March 01, 2004, 09:48:35 PM »
Quote
Lunarpages is acting on what you can easily classify as "easily exploitable" Yes, in theory you could argue that everythign is exploitable, but some things are brutally easy to exploit. For example, I coudl post a few lines of code that would allow you to use another users formmail installation to send out email to whoever you want.


I understand that and I commend Lunarpages for doing it. I have been hosted by and worked for companies that didn't give a damn about this sort of thing and it's quite impressive to see Lunarpages taking this type of action.

I also agree with the actions Lunarpages is taking (as far as not allowing a lot of these scripts) and I think it's something a lot of other hosting providers should do. I think it's an issue that all "webmasters" should pay close attention to. These issues are not going to go away any time soon. I see it every day (I teach webdev classes). I stress the importance of security but more often than not, it's like I am talking to a wall. Eh, Im a bit jaded I guess.

In any case, thanks for the reply.