Lunarpages Web Hosting Forum

Author Topic: info on allowed scripts?  (Read 3968 times)

Offline stapel

  • Galactic Royalty
  • *****
  • Posts: 491
info on allowed scripts?
« on: February 29, 2004, 05:36:05 AM »
I have just been informed by Support (after they munged my file names last night so none of the scripts worked) that the only scripts that Lunarpages now allows their customers to use are the ones listed here:

http://nms-cgi.sourceforge.net/scripts.shtml

I had been using Big Nose Bird's "bnbform.cgi" (and I've re-munged the names so I can have working forms until I get things revamped). I do not recall having received notification that my current scripts were going to be disallowed. (Some warning would have been nice.) Also, I'm not terribly comfortable replacing a script that has been dependable with a script that the author describes as "a work in progress".

Does anyone have information on when we were all told that we all had to change all of our scripts to this one guy's, and can anyone give me some history on the dependability and security of this guy's work?

Thank you.

Eliz.

Offline Ripta

  • Master Jedi
  • *****
  • Posts: 1271
info on allowed scripts?
« Reply #1 on: February 29, 2004, 10:58:37 AM »
Shouldn't support email you and notify you to change your scripts instead of just changing filenames? I thought that's the correct way of doing business...
GetAFreelancer! (This service is not affiliated with Lunarpages)

Offline stapel

  • Galactic Royalty
  • *****
  • Posts: 491
info on allowed scripts?
« Reply #2 on: February 29, 2004, 01:29:37 PM »
Yes, some warning would have been nice. According to Support, the e-mail script at the soureforge site is "the only script allowed". Apparently nobody is allowed to use any other scripts of any sort for any purpose. This seems fairly harsh. We've got a spam-bot-blocking script running, and if we can't use that here at Lunarpages, we may have to leave.

How disappointing. And how odd that they still have other scripts in the CGI folder in cPanel. Why have them there, since we're not allowed to use them?

Eliz.

Priest

  • Guest
info on allowed scripts?
« Reply #3 on: February 29, 2004, 01:46:48 PM »
Whenever a scan of our systems show a script we do not allow, we generally rename it immediately and then send an email to the customer letting them know that the script has been renamed and what it has been renamed to.  I'm kinda new around here, but I would say it is to remove the vulnerability from the server as soon as possible.  There are circumstances where customers may be on vacation, etc and not be able to change the script, leaving the vulnerability in place.  Ensuring the proper running of the server is paramount.

As for the support response, the email form script from Sourceforge is the only email script that we allow.  Our admins have looked at the script and would not simply suggest using one unless they were sure it was not going to cause problems.  Being a programmer I know that my works are always labeled as 'works in progress' as most software will have to be updated/changed as computing changes (plus most programmers are never fully happy with their products, always some feature to add, change the color here, etc :D).

If you would like to read up on NMS, visit their main site at http://nms-cgi.sourceforge.net/ .  Scroll down and visit some of the links talking about the referrals they have received and some of the places their code is used (I saw mention that they were included in some Debian Linux distributions).  Hope that will help ease your mind about the people that wrote the code and their background.

I do apologize for the confusing response you received and know that we do not ban all scripts, so your other scripts should be ok.

Offline stapel

  • Galactic Royalty
  • *****
  • Posts: 491
info on allowed scripts?
« Reply #4 on: February 29, 2004, 02:00:04 PM »
Thank you for your response. However, I'm a bit confused. If the Matt Wright emulator is the only script allowed, why is CGIemail offered through cPanel? Would you happen to know on what basis BNBForm is regarded as dangerous? The only security issue I can find for this script was handled some time ago.

Thank you.

Eliz.

Priest

  • Guest
info on allowed scripts?
« Reply #5 on: February 29, 2004, 02:08:25 PM »
The BNB Form has been used in the past as a spam relay.  I do not know the specifics as to how the exploit is done as I have never actually looked at the code or researched the issue, I just know that it has been done in the past to a point that it warranted disallowing it on our servers.

I just now went into my cpanel and tried to click on the CGIemail link there.  It redirects to a website about the script not being set up properly.  The makers of CPanel may have included it in their software and the link was changed by Lunarpages so that it could not be installed.  I do not know for certain why it is in the CPanel.

If I can be of any more service please let me know.

Offline Admin

  • Administrator
  • Über Jedi
  • *****
  • Posts: 2529
    • Lunarpages Web Hosting
info on allowed scripts?
« Reply #6 on: February 29, 2004, 02:46:06 PM »
We are have about 3 or 4 scripts exploited per week at this point. Scripts that I have seen exploited are big nose bird, matt's, jacks, ez_form, twebman's...the list goes on.

This has caused some major problems on our servers and we have just started being proactive about it.  

From what I understand the cgi email is not one being disabled.

leighsww

  • Guest
info on allowed scripts?
« Reply #7 on: February 29, 2004, 03:13:39 PM »
Even TWebman's script?  Yikes, he's not going to be too happy with that.  Especially, since we just made him the form mail GURU, too (well, I did anyway, Ed wasn't too happy about being demoted)!  :cry:

Offline Admin

  • Administrator
  • Über Jedi
  • *****
  • Posts: 2529
    • Lunarpages Web Hosting
info on allowed scripts?
« Reply #8 on: February 29, 2004, 03:15:27 PM »
We've traded some feedback with other webhosts and so far the one we recommend is the one a lot of hosts are going with as well.  Seems to be the general consensus that it's the most secure.

Offline superstar

  • Trekkie
  • **
  • Posts: 10
info on allowed scripts?
« Reply #9 on: March 01, 2004, 12:27:26 AM »
So, which scripts are allowed now ?

"Invalid Cgi" is all I get in my error logs, did you disable my whole cgi
directory ?

And I never got an email either. The scripts worked yesterday........

Thanks

Offline steve

  • Galactic Royalty
  • *****
  • Posts: 207
info on allowed scripts?
« Reply #10 on: March 01, 2004, 03:24:37 AM »
Quote from: StevenP
As for the support response, the email form script from Sourceforge is the only email script that we allow.

Just to clarify, the NMS script isn't the only one we allow, but it's one we've looked at (the referer checking, in particular) and it doesn't have some of the careless mistakes exhibited by a few others.

The formmail scanning is targetting specific signature code. For example: Matt's Script Archive, Big Nose Bird, Jack's Formmail and a few others.
Steven Klassen
Lunarpages Support
http://www.lunarpages.com/

Offline steve

  • Galactic Royalty
  • *****
  • Posts: 207
info on allowed scripts?
« Reply #11 on: March 01, 2004, 03:30:17 AM »
Quote from: superstar
So, which scripts are allowed now?

I replied to this in an earlier post, but it's not so much a white listing of certain scripts but a blacklisting of known-issue code that we've linked with a specific complaint (and sometimes, a spam block).

Quote from: superstar
"Invalid Cgi" is all I get in my error logs, did you disable my whole cgi directory?

That was the reasoning for appending a suffix to the script as opposed to completely renaming them. The scripts should still be where you left them.

Quote from: superstar
And I never got an email either. The scripts worked yesterday........

If there's an email address in the database (that works), an email was sent that direction. Else, a message went to the operations manager with a list.
Steven Klassen
Lunarpages Support
http://www.lunarpages.com/

Offline TWebMan

  • Quantum Encyclopedia Writer
  • *****
  • Posts: 3047
    • Take charge of your site
info on allowed scripts?
« Reply #12 on: March 01, 2004, 08:37:34 AM »
Steve, do all those scripts no accept variables for the recipient?  All you need to do is munge the headers or httpd.conf on a server you control and post to the script from there and, and referrer control goes out the window.

Seems the best protection all-around is no variable for a recipient.  That's your final line of defense, I would think.

My scripts:
1.  Do not accept query strings
2. Do not accept posts from outside the allowed referrers (yes, foolable)
3. Have NO recipient variable.  The recipient chosen by the user when they make the form is only there as an email address, in the sendmail command.  I don't see how that script can be hijacked without FTP access.
"Computers cause people to make more mistakes than any other invention in history, with the possible exception of handguns and tequila."  - Unknown
"Liberty of any kind is seldom lost all at once." - D. Hume
Every day is an Ode to Joy
The planet will be fine... and so will your site

Offline steve

  • Galactic Royalty
  • *****
  • Posts: 207
info on allowed scripts?
« Reply #13 on: March 01, 2004, 12:53:11 PM »
Kata covered this in this other post. You don't really need access to the server to insert your own message headers.

http://www.lunarforums.com/forum/viewtopic.php?p=72478
Steven Klassen
Lunarpages Support
http://www.lunarpages.com/

Offline Ed

  • Berserker Poster
  • *****
  • Posts: 5156
    • Joke A Whenever
info on allowed scripts?
« Reply #14 on: March 01, 2004, 01:03:37 PM »
One of the things I have done with my scripts is all variables that interface with the email part are named with obscure names like $hfssuyf3f instead of $to. Chances are the spammer would give up first :-)