Question about abuse of a CGI script

[Martin Kissner]

A. Sinan Unur wrote :

That sentence makes no sense. If a visitor can submit the form using a
web browser, then a simple script using LWP, or the command line wget
program can also submit to the same target specified in the action
attribute of the form element you are using.

Your confusion arises from the fact that you don't seem to understand how
HTTP and CGI work, and you confuse the issue by adding in all sorts of
web server configuration issues.

No, I don't think so. Maybe I can not make myself understood because of
my bad English. Maybe I should provide specific filenames to make this
clear.

Before the spammer's attack the target specified in the action attribute
of the form element has been "/emailantwort.html". This target was
redirected to "/cgi-bin/script.cgi".
"script.cgi" checks the URI to decide what to do.
Before the spammers attack:
if ($ENV{REQUEST_URI} eq "/emailantwort.html") { send_mail(); }
Now:
if ($ENV{REQUEST_URI} eq "/someotherfile.html") {
send_mail_better(); }
if ($ENV{REQUEST_URI} eq "/emailantwort.html") { count_spmammer(); }

In summary:

Q1) How do I save the full query submitted to my CGI script.

A) Look into methods provided for this purpose by CGI.pm and CGI::Minimal

Thank you, I will do so tonight.

Q2) How do I prevent a spammer from using my script to send email to
thousands of people?

A) The safest way is to prevent a web site visitor from being able to
enter any email address. Short of that, look at CGI::ContactForm to see
how to make sure the submitted parameter only contains a single email
address.

Thank you again. I will do my best.

There seems to be nothing else that is remotely Perl related to discuss.

Okay? Didn't mean to annoy anybody.

Best regards
Martin

 

[Ian Wilson]

Maybe you missed the fact that I have changed my script so the actual
spammer is not able to use it any more.

Have you? I thought you had just changed it to check the referrer_URI.
These URI's are harvested by bots which inspect feedback forms. Soon a
bot will pick up your modified form and start using the new action URI
it finds there, which is the one your modified script allows through.

Much better to sanitise the form data. I'd discard any transaction that
contains suspicious data, e.g. newlines in a subject field. If I
couldn't use (or adapt) an already existing well tested script such as
the nms scripts, I'd specify a minimum set of allowable characters for
each field. Have you looked at the scripts at
http://nms-cgi.sourceforge.net/ - even if you can't use them, they'll
give some ideas on sanitising form data.

 

[Martin Kissner]

Ian Wilson wrote :

Have you? I thought you had just changed it to check the referrer_URI.

Yes, I have. I never mentioned that I changed the script to check the
referer URI, have I? As a first step I checked the "user" input for some
strings that were common to all spam mails.

In the meantime I have added some more input checking to make sure that
there can be only one email address in the appropriate field and nothing
else. All other fields are now checked against a list of allowed
charakters (letters, numbers, braces, comas, fullstops and newlines only
in the textarea field)

These URI's are harvested by bots which inspect feedback forms. Soon a
bot will pick up your modified form and start using the new action URI
it finds there, which is the one your modified script allows through.

Much better to sanitise the form data. I'd discard any transaction that
contains suspicious data, e.g. newlines in a subject field. If I
couldn't use (or adapt) an already existing well tested script such as
the nms scripts, I'd specify a minimum set of allowable characters for
each field. Have you looked at the scripts at

Thanks for your hint, I have already done so.

http://nms-cgi.sourceforge.net/ - even if you can't use them, they'll
give some ideas on sanitising form data.

Not yet, but I will take a look at it. Thanks for the link.

Best regards
Martin