After reading about this issue for over an hour I am confused as to how one
can protect the form or template from hijacking. I do not have any access to
the actual Cgiemail script. I only have control over the templates and the
html forms that I may write, and any Javascript validation scripts that may
be needed (assuming that the client has not purposely turned off Javascript).
How can I secure these forms and templates against being used as spam relays?
I already have hard-coded the To: address in the template. Must the From: field in the templates be hard-coded also to prevent exploits? The default template has it as
From: [email]--
Wiz
You can try to hide the inputs in the HTML as well as possible. You might even be able to not use the dangerous ones. But, if the spammers/whoever figure out what script is being used (and, if it's FormMail.pl, they will likely guess before even looking at your code - it's a standard thing they probe for) they will just use it.
The only solution is to use a secure script, I'm afraid. There is no client-side solution that does data validation in a manner that cannot be overcome without server-side support.
You just need to make a small alteration to whatever script is handling your mailings. Have the user part of the email address (the part before the @) be only section that changes based on user input
The domain part of the email should be hard coded to a variable.
You then create the "To:" address by tacking the user chosen part onto the domain.
i.e.
$domain = 'website.com';
$toaddy = $request{'choice'}."\@$domain";
It is now impossible for your script to be used for spam.
