Can this script be used to spam?

[David Staschover]

We are getting numerous bounceback messages with the following script in the
bounced email. It appears that someone is using this script to send spam. Is
there any way for a visitor to break this script over the web, changing the
recipient, or added Bcc's to this message through a web browser? And if so,
any idea how to fix it?

Thanks in advance!

#!/usr/bin/perl

read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
@pairs = split(/&/, $buffer);
foreach $pair (@pairs)
{
($name, $value) = split(/=/, $pair);
$value =~ tr/+/ /;
$value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
$FORM{$name} = $value;
}

open (MAIL, "|/usr/lib/sendmail -oi -oem -odi -t ") || die "Can't open
$mailpro>
print MAIL "To: recipient\@domain.com\n";
print MAIL "From: $FORM{'username'} ($FORM{'realname'})\n";
print MAIL "Subject: Site Comments

$FORM{'username'} ($FORM{'realname'}) sent the following
------------------------------------------------------------
Email: $FORM{'username'}
Name: $FORM{'realname'}
Subject: $FORM{'subject'}

Comments:
$FORM{'comments'}

------------------------------------------------------------\n\n";
close (MAIL);

print "Location: http://www.domain.com/thankyou.html\n\n";

 

[Uri Guttman]

don't use that. formmail is infamous for spamming attacks.

look for the NMS replacement on sourceforge.

uri

 

[Gunnar Hjalmarsson]

We are getting numerous bounceback messages with the following
script in the bounced email. It appears that someone is using this
script to send spam. Is there any way for a visitor to break this
script over the web, changing the recipient, or added Bcc's to this
message through a web browser?

It's not safe, as others have pointed out.

You might find the module CGI::ContactForm useful as a replacement:
http://search.cpan.org/~gunnar/

If you click the link in the sig below, you see the default form that
is generated by the module.

 

[Eric J. Roode]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

We are getting numerous bounceback messages with the following script
in the bounced email. It appears that someone is using this script to
send spam. Is there any way for a visitor to break this script over
the web, changing the recipient, or added Bcc's to this message
through a web browser? And if so, any idea how to fix it?

1. You ought to be using the CGI.pm module instead of parsing your own CGI
input.

2. You are doing absolutely no validation of any of the CGI inputs. It
would be trivial for me, or anyone, to craft an HTML form on my own
computer and type in whatever I wanted into any of the fields, and submit
it to your script on your server. *Never* trust CGI input. *Always*
validate.

- --
Eric
$_ = reverse sort $ /. r , qw p ekca lre uJ reh
ts p , map $ _. $ " , qw e p h tona e and print

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBP8NLDWPeouIeTNHoEQKZIwCgvHuvBKfHFdSIFJbIJoxXErP/ZqcAn37P
OlKdxwfqFpYGGuek/8V/u1Om
=SnX9
-----END PGP SIGNATURE-----