[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] FormMail.pl

Subject: RE: [cobalt-users] FormMail.pl
From: "Jolley, Carl" <Carl.Jolley@xxxxxxx>
Date: Thu Aug 29 15:43:01 2002
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

-----Original Message----
From: Andres C. [mailto:anakinpc@xxxxxxxxxxx]
Sent: Thursday, August 29, 2002 4:32 PM
To: cobalt-users@xxxxxxxxxxxxxxx
Subject: [cobalt-users] FormMail.pl

  I got some error with Formail.pl v: 1.92 from scriptarchive.com when i try
to use it on my raq4i
I receive a error msg when i try to post a msg from some form.

Bad Referrer - Access Denied
The form attempting to use FormMail resides at
http://www.estudiobordon.com.ar/P_Contacto_Suge.htm, which is not allowed to
access this cgi script.
If you are attempting to configure FormMail to run with this form, you need
to add the following to @referers, explained in detail in the README file.

Add 'www.estudiobordon.com.ar' to your @referers array.

How can I put all the domains i have on this cobalt to allow send mails, and
block others servers address???

---------------
On my self-patched version of sendmail I've got some code that looks like:

chomp($save_cd=`pwd`);
chdir "/home/sites" || die "can\'t cd to /home/sites";
@my_webs=`ls www.*`; #all my vsites look like www.domainename
chdir $save_cd || die "can\'t restore cd to $save_cd";
chomp(@my_webs);
push(@my_webs,@referers);

This will put all the vhosts defined on your RaQ into the @referers array.

The way the referers array works you don't have to block any domains, the
$ENV{HTTP_REFERERS} has to have a hostname that occurs in the @referers
array or frommail.pl generates an error just like the one you got.
However it does make sense to also test the $CONFIG{recipient} to make
sure the e-mail is going only to where you want it to go. This can be
done by checking a set of allowed e-mail addresses, checking against a
set of allowed destinaion domains or always Setting the "To: header to
a constant e-mail address. This latter part is crutial because even
the $ENV{HTTP_REFERER} can be forged for a REQUEST_METHOD of POST. 
Forget about accepting REQUEST_METHOD= GET and do not accept even a POST
message unless the $ENV{HTTP_REFERER} is present and contains a host
name part that matches on of the hosts in your @referers array. When
extracting the host name from the $ENV{HTTP_REFERER} make sure you
are extracting from a valid left-anchored patters, e.g.

&error(referer)
unless($ENV{HTTP_REFERER}=~m!^https?://({^/}+)/.+\.s?html?!);
$host=$1;
$ok=0;
foreach $ref (@referers) {
   if ($ref eq $host) {
      $ok=1;
      last;
   }
}
&error('referer') unless $ok; 

If you don't use the proper pattern for extracting the left most host from
the
$ENV{HTT_REFERRER} you are subject to a forged HTTP_REFERRER that maay look
like:

http://bad,domain/file.html?+one-of_your_referers

Similar rigorous checking should also be done on $CONFIG{recipient}
especially if you allow it to contain multiple destination e-mail
addresses separated with commas. Be wary of any recipient, e-mail
or realname filed that contain any of the characters: "%<>;()\n";

Follow-Ups:
- [cobalt-users] FormMail.php
  - From: Andres C.

Prev by Date: RE: [cobalt-users] FormMail.pl
Next by Date: [cobalt-users] FormMail.php
Previous by thread: Re: [cobalt-users] formmail.pl
Next by thread: [cobalt-users] FormMail.php

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index