freelanceprogrammers.org Forum Index » Perl

View previous topic :: View next topic
Post new topic   Reply to topic

web form vulnerability


View user's profile Post To page top
kjhseka Posted: Mon Jun 14, 2004 8:51 am


Joined: 14 Jun 2004

Posts: 4
web form vulnerability
Hello,
I`m relatively mewbie in Perl and I`m not very expert with it.
Consequentely I have a big problem with my web form processing
script. The problem is : the form is unsecure. Spammers use the form
in the web to send a lot of spam.

Spammers send SPAM using my send email form. They write something
like this


BCC:<a lot of email>

Somewhere of my form, probably in the email field. You can see an
exemple of this form here :

http://www.seduction-rapide.com/contact.html

User from my sites using my scripts can write any info in the header
of email form and it`s a main problem !

I tried with :

#-----------------------------------------------

read(STDIN, $buffer, $ENV{`CONTENT_LENGTH`});
@pairs = split(/&/, $buffer);
foreach $pair (@pairs)
{
($name, $value) = split(/=/, $pair);
$value =~ tr/+/ /; #The =~ matches a regular expression with
another variable rather than $_
$value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
$value =~ s/<!--(.|
)*-->//g;
$value =~ s/<([^>]|
)*>//g;
$FORM{$name} = $value;
}
#-----------------------------------------------

But will it work ? I don`t know if it will work, I don`t even know
the exact string spammers write in the fields of my forms. I tried to
write

myemail@...
bcc:myothermail@...

to test my email field, but this doesn`t work. So I don`t know how
spammers do that and I`m unable to solve the issue.

The entire script is here, if you have some suggestion it will be
strongly appreciated.

Thanks
Alphonse


#!/usr/bin/perl

#-----------------------------------------------

read(STDIN, $buffer, $ENV{`CONTENT_LENGTH`});
@pairs = split(/&/, $buffer);
foreach $pair (@pairs)
{
($name, $value) = split(/=/, $pair);
$value =~ tr/+/ /; #The =~ matches a regular expression with
another variable rather than $_
$value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
$FORM{$name} = $value;
}
#-----------------------------------------------


@sendto = (`infpbc@...`, `infomb@...`);
$remote_ip = $ENV{`REMOTE_ADDR`};


$mailprog = "/usr/sbin/sendmail";

open (MAIL, "|$mailprog -t");
flock(COUNT, 1100);
if($FORM{`section`} eq `General Information`){
print MAIL "To: $sendto[0]
";
# print MAIL "Bcc: $sendto[2]
";
}else{
print MAIL "To: $sendto[1]
";
# print MAIL "Bcc: $sendto[2]
";
}
print MAIL "From: $FORM{`B_address`}
";
print MAIL "Subject: $FORM{`C_subject`}
";
print MAIL "Section: $FORM{`section`}
";
print MAIL "IP Addr: $remote_ip

";
print MAIL "Message:
=======================

$FORM{`D_message`}


";
close (MAIL);


print "Content-type: text/plain", "

";
print "<html><title>Message received</title>";
print "<head><script language=`JavaScript1.2`
src=`../codes/noright.js`></script></head>";
print "<body bgcolor=`#FEF8F0`><center><img src=`../images/logo-
lt.gif`></center>";
print "<br><p><center><font face=`Verdana, Arial, Helvetica, sans-
serif` size=4>";
print "Thanks you</font></center>";
print "<br><br><center><a href=`javascript:window.close();`>";
print "<img src=`../images/btnClose.gif` border=0
alt=`Close`></a></center>";
print "</body></html>";

exit;
Reply with quote
Send private message
Post new topic Reply to topic
Display posts from previous:   
freelanceprogrammers.org Forum Index » Perl
 

All times are GMT
Page 1 of 1
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Freelace Website Designer - Customer web design and software building.
China Wholesale - Electronics Products
Character Studio - Tutorials and Help