Lunarpages Web Hosting Forum

Author Topic: In need of form help  (Read 5758 times)

Offline DJReda

  • Space Explorer
  • ***
  • Posts: 6
    • http://www.bullieforums.com
In need of form help
« on: February 27, 2004, 05:52:11 PM »
Hi guys and girls,

I'm in need of some help from the experts!
I am familiar with HTML and Frontpage but cgi and the others are greek to me.

What I'm looking to do is create a few forms for various parts of my site in which a user would fill in information in provided fields (Text, checkboxes, dropsdowns etc) and I'm LOST!  :(  :(

Is there somewhere that I can get a base template to work with? But the problem is I wouldn't know where or what to put as "actions or submits" to have the form emailed to me with the users input.

I tried the cgi icon in the CPanel and tried to follow the instructions but I'm still lost - PLEASE HELP!  :cry:

Thanks everyone!

Dominick...
If you pick up a starving dog and make him prosperous, he will not bite you. This is the principal difference between a dog and a man.
-Mark Twain

www.bullieforums.com
www.segwayofwestbrook.com
www.magnoliarun.com
www.westbrookpowersports.com
All created by :: www.2square.com

Offline stapel

  • Galactic Royalty
  • *****
  • Posts: 491
In need of form help
« Reply #1 on: February 29, 2004, 01:41:09 PM »
You have to use the Matt Wright formail emulator found here:

http://nms-cgi.sourceforge.net/scripts.shtml

Lunarpages will not allow you to use any other script (according to what Support has told me), which I would have to assume includes the one in the CGI folder in cPanel. There doesn't appear to be much documentation or support, so definitely read the "Readme" file. If you do the settings incorrectly, this script will be as insecure as the original Matt Wright "formail" script, which would be a very bad thing (for you; great for the spammers who would hijack your account).

Eliz.

Offline TWebMan

  • Quantum Encyclopedia Writer
  • *****
  • Posts: 3047
    • Take charge of your site
In need of form help
« Reply #2 on: March 01, 2004, 08:35:11 AM »
"Computers cause people to make more mistakes than any other invention in history, with the possible exception of handguns and tequila."  - Unknown
"Liberty of any kind is seldom lost all at once." - D. Hume
Every day is an Ode to Joy
The planet will be fine... and so will your site

Danielle

  • Guest
In need of form help
« Reply #3 on: March 01, 2004, 08:39:00 AM »
Hi TWebMan,

Actually, the new policy is that other scripts aren't allowed for formmail due to the numerous exploited scripts we have had for other formmail versions.  Thus, we aren't able to recommend ones other than nms currently, with the link being:

http://nms-cgi.sourceforge.net/scripts.shtml

Sorry about any misunderstanding on the matter.

Thanks

Offline TWebMan

  • Quantum Encyclopedia Writer
  • *****
  • Posts: 3047
    • Take charge of your site
In need of form help
« Reply #4 on: March 01, 2004, 08:47:52 AM »
OK no problem I'll stop offering my script here.  But it's never been hijacked, fyi :)

The others, I believe, all have, at one point or another.

Sometimes efficiency is in simplicity.  Since there's no recipient variable in my script, it's not possible to use it to send mail to anybody but the one recipient that's hardcoded into the script-right in the sendmail command.

All the others still use variables.  If it's not protected in a private object, a var can be changed.  Since perl is not OOP, you can't protect variables.

Best course of action, don't use one!  ;)  That's what I do.

I've already fooled both the latest formmail and BNB script.  I'll demonstrate to the staff, if you like, how easy it is to fool these scripts.  Once you're in, if the recipient is a variable, you're all set.  Plug in 10, 100, 1000 recipients and you're off.

Seems what they've done is pile checkpoints into the script.  What I've done is simply hardcode the simple recipient (with a couple important checkpoints also).

If someone manages to fool my script, the result is the single recipient will receive a spam message.  One email sent :)
"Computers cause people to make more mistakes than any other invention in history, with the possible exception of handguns and tequila."  - Unknown
"Liberty of any kind is seldom lost all at once." - D. Hume
Every day is an Ode to Joy
The planet will be fine... and so will your site

Offline stapel

  • Galactic Royalty
  • *****
  • Posts: 491
In need of form help
« Reply #5 on: March 01, 2004, 08:59:48 AM »
TWebMan: I had changed the BNBForm script so that the recipient was designated as, say, "webmaster", with the actual e-mail hard-coded into the script. That is, the script took the variable "webmaster" and inserted the hard-coded address. How does this differ from what your script does, other than allowing for variable recipients?

Thank you.

Eliz.

Offline TWebMan

  • Quantum Encyclopedia Writer
  • *****
  • Posts: 3047
    • Take charge of your site
In need of form help
« Reply #6 on: March 01, 2004, 09:03:37 AM »
Where does the email addy start, in the script?  That's more secure.  What would happen if you sent a post to that script with a hidden field called webmaster, with 1000 email addresses in it, separated by commas?
"Computers cause people to make more mistakes than any other invention in history, with the possible exception of handguns and tequila."  - Unknown
"Liberty of any kind is seldom lost all at once." - D. Hume
Every day is an Ode to Joy
The planet will be fine... and so will your site

Offline stapel

  • Galactic Royalty
  • *****
  • Posts: 491
In need of form help
« Reply #7 on: March 01, 2004, 09:09:06 AM »
TWebMan: I'm not sure what you mean. The "value" of the hidden field "submit_to" is set as "webmaster". Within the CGI, "webmaster" is mapped to a hard-coded e-mail address. How would that be converted to a thousand e-mail addresses? Are you saying that the hacker can edit the CGI script to change the hard-coded addresses? If so, how could any script be secure?

Thank you.

Eliz.

Offline TWebMan

  • Quantum Encyclopedia Writer
  • *****
  • Posts: 3047
    • Take charge of your site
In need of form help
« Reply #8 on: March 01, 2004, 09:13:21 AM »
No, they can't be hardcoded in.  When a form post comes in with the same name as a variable, though, that variable can be overwritten with the value of the form post....depending where that var is in the script.

I'm sure they're not going to put it somewhere it can be changed, under normal circumstances, but a spammer may find the right combination in a query string or form to overwrite that variable with the incoming form field.
"Computers cause people to make more mistakes than any other invention in history, with the possible exception of handguns and tequila."  - Unknown
"Liberty of any kind is seldom lost all at once." - D. Hume
Every day is an Ode to Joy
The planet will be fine... and so will your site

Offline stapel

  • Galactic Royalty
  • *****
  • Posts: 491
In need of form help
« Reply #9 on: March 01, 2004, 09:20:28 AM »
TWebMan: So hard-coding doesn't really matter, since any script value can be overwritten? Yeesh! Since scripted form-handlers can be hacked, and since "mailto" links are out of the question, how then can we have users contact us?

Thank you.

Eliz.

Offline TWebMan

  • Quantum Encyclopedia Writer
  • *****
  • Posts: 3047
    • Take charge of your site
In need of form help
« Reply #10 on: March 01, 2004, 09:31:04 AM »
No, no, variables can be overwritten.  It's the hard coding that can't be overwritten.
"Computers cause people to make more mistakes than any other invention in history, with the possible exception of handguns and tequila."  - Unknown
"Liberty of any kind is seldom lost all at once." - D. Hume
Every day is an Ode to Joy
The planet will be fine... and so will your site

Offline stapel

  • Galactic Royalty
  • *****
  • Posts: 491
In need of form help
« Reply #11 on: March 01, 2004, 09:59:45 AM »
TWebMan: I'm sorry, but won't any script have variables? (For instance, the message being sent should not be fixed in advance, should it?) Also, I don't understand how changing the variable in the "submit_to" field of the HTML form would help the hacker, since the script would then not recognize the variable and would have no e-mail address (from the hard-coded list) to which to map the new variable.

Thank you.

Eliz.

Offline Neco

  • Jabba the Hutt
  • *****
  • Posts: 633
    • http://www.oldskoolgames.com
In need of form help
« Reply #12 on: March 01, 2004, 10:45:03 AM »
While in the traditional programming sense, a variable is anything that holds data,  in the web sense, a variable is usually reffered to as data that is  modified by user input.

If you can't modify the hard-coded  email address, you can't change it.  Since the address is hard-coded and does not require any input fromt he user, in theory it should be secure.

Think of it as a stop sign vs a traffic light.

When you plant a stop sign, it means stop. You must always stop. You can do nothing at that sign but stop, or you are breaking the law.

When you come to a stop light you have more options.  

Red - you must stop.
Yellow - you must slow down and be prepared to stop.
Green - you may pass through.

When someone hijacks a scripts variable, they may want to change the stop light so that instead of the stop light turning "red" (mail to  fixed@domain.com)  it turns green instead  (mail to  "list of addresses to spam @ domains.com)

I hope I explained this right

lol  =\

Offline stapel

  • Galactic Royalty
  • *****
  • Posts: 491
In need of form help
« Reply #13 on: March 01, 2004, 10:51:50 AM »
Neco: I can understand if the variable were "send_to_addy@domain.com", so the e-mail address is in the HTML script and is sent as a variable to the script. But in my case, the variable was "send_to_designated_recipient", which the script then mapped to a hard-coded address. That is, the script read "designated_recipient" and processed "hard_coded_addy@domain.com". I'm hearding that this hard-coding can be replaced, so the variable sent would be "send_to_hacker_new_variable", and the script would somehow map this to "hack_addy_1@hacker.com", "hacker_addy_2@hacker.com", etc, etc. I guess this is what I'm not understanding: how the hard-coding can be overcome.

It is occasions like this that make me I wish I had the time not to be so ignorant....

Thank you.

Eliz.

Offline Neco

  • Jabba the Hutt
  • *****
  • Posts: 633
    • http://www.oldskoolgames.com
In need of form help
« Reply #14 on: March 01, 2004, 10:54:06 AM »
Think I better leave the rest to Twebman, I might learn something myself, heh.