RE: [cobalt-users] CGI email

["Clark E. Morgan" <prlhkr@xxxxxxxxxxxxx>]

> Okay, can anyone suggest a suitable replacement for FormMail that
> doesn't have this sort of vulnerability?  I suspect this would be of
> interest to quite a few list members, since FormMail seems to be in
> exceptionally widespread use...
>
> - C.

Clayton,

Let's not all jump off the deep end at once. This problem is easily
fixed without reinventing the wheel.

Option 1: Perhaps the quickest and most epxedient solution is to hardcode
the recipient address rather than availing yourself of the recipient
variable. As an additional measure of security, you could rename the
recipient variable to comething non-intuitive such as 'peanut' or 'liver'
or a random string such as '77hu9jio'. The drawback of this method is
that it would require a separate script for each recipient that needs
to use it (figure maybe 2-3 people per v-site).

Option 2: Create an array of acceptible destination addresses, something
like

@restricted_to = qw (space separated approved addresses);

and then enclose the call to send_mail in a loop that compares
the value of recipient with each item in the array, sending if a
match and looping until out if not. Then one script satisfies all
qualified users. For example, subsititute &send_mail with something
like:

----------------------------------------
@restricted_to = qw (
user1\@domain.net
user2\@domain.net
);
$num_users = scalar(@restricted_to);
$i = 0;
while ($i < $num_users) {
 $good_recip = $restricted_to[$i];
      if ($good_recip ne $Form{'recipient'}) {
         print "Location: http://hack.this.you/little/prick.html\n\n";;
      } else {
         &send_mail;
      }
   }
   $i++;
}
----------------------------------------

That's tested working on 5.003, I'll vouch for nothing however, test it
yourself
before you depend on it.

Clark Morgan