[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [2] [cobalt-users] forms
- Subject: RE: [2] [cobalt-users] forms
- From: "Dee Dreslough" <dee@xxxxxxxxxxx>
- Date: Thu Mar 15 06:58:02 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
>>And whatever you do, do NOT use Matt Wright's FormMail to solve your
>>problem.
>>You'll turn your server into an instant spam machine.
>
>Why are you telling it. Is there something hidden that can be used
>for that purpose or is it just insecure. I did not look closer so far...
Formmail.pl is insecure. It's supposed to check for the referring URL
that's submitting the form, but it doesn't work right. Anyone can spoof it
by just entering their data in a URL like:
http://www.somesite.com/cgi-bin/FormMail.pl?email=foo@xxxxxxx&required=email
&required=firstname&required=lastname&required=spam&spam="Hi visit my porn
site!"&submit=Submit
(What I typed up there won't work, btw...it's just an example that I wrote
off the top of my head and it's not all correct for being passed to the
form, etc.) Someone earlier had posted a link with an example of a URL. I
tried it on my altered versions of formmail, and lo and behold -- it worked.
Ignored the referring URL and everything... I quickly got in there and
ripped down the formmails I had been using.
What you can do is hardcode the receiving email into the perl script to
disable their ability to use it to target other people. Of course, that
means if a spammer goes to use your formmail, you'll get a zillion copies of
his spam... :)
Formmail isn't a bad basis to alter to make other forms, but as it is
written now, it's a nightmare for sysadmins, and a dream come true for
spammers. :)
-Dee Dreslough