[thelist] re: form to email scripts
deke
web at master.gen.in.us
Thu Apr 12 23:28:20 CDT 2001
On 12 Apr 2001, at 22:02, rudy posted a message which said:
> i've heard that these cgi mail scripts can have security holes, e.g. matt's
> formmail has been criticized a few times on discussion lists like this one
> does anybody know of any that are reasonably safe to use?
> and what is the problem with them, do they get taken over or misused by
> spammers, expose your server to attack, or what exactly?
Any program that executes data supplied by the user is subject to
diddling by users.
One possibility for mischief would be to use a sendmail flag to get
a file of confidential data - traditionally, the password file - mailed
to you. Another possibility would be to put an email address, followed
by a semicolon, and followed by a destructive command.
You need to vet the data before you use it, and that's not easy to
do right. At a minimum, you should ensure that
- there are no hyphens in the address.
- there are only alphamerics, hyphens and dots (and there is
at least one dot) to the right of the rightmost @ sign.
- to the right of the rightmost dot, there are either two letters,
com, edu, org, net, gov, mil, or int. (I've read somewhere
that there are a couple of 4-letters TLDs, including nato, but
I've not seen one in ten years on the net.)
- there are no embedded spaces in the address. (Actually,
if the domain is aol.com, I simply remove embedded spaces
from the address.)
I have no idea whose form-to-mail scripts are OK and which are
not. It's less work to write my own than it is to try to clean up
someone else's work....
deke
------------------------
"The church is near but the road is icy;
the bar is far away but I will walk carefully."
-- Russian Proverb
More information about the thelist
mailing list