Forum Moderators: phranque

Message Too Old, No Replies

A lot of requests for /cgi-bin/formmail.pl

is there a recent bug found in this

         

martin

7:52 am on Oct 13, 2002 (gmt 0)

10+ Year Member



I noticed a lot of requests for /cgi-bin/FormMail.pl. I know this is a Perl script but I don't understand why people try to find it on my PHP site.

Is there a bug in this script that was found recently or what? Why all those people from different IPs request it.

fathom

7:59 am on Oct 13, 2002 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Amazingly enough so have I, and alot.

I didn't much think about it before -- but now I'll look a bit closer.

Sounds alot like another email harvester attempting to reconcil a new email list.

I''l let you know.

Marcia

8:07 am on Oct 13, 2002 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



There have been a lot of cases of people's formmail being used to send out spam mail, and it appears to come from the site whose script has been exploited this way.

Previous discussions:

[webmasterworld.com...]
[webmasterworld.com...]

KakenBetaal

5:58 pm on Oct 16, 2002 (gmt 0)

10+ Year Member



Anyone got any good form to email scripts they can recommend me via stickymail? (to prevent any promotional URLs that are against the TOS)

I'm looking for something that:

* will only send to a set list of email addresses and nowhere else.
* will hide the email addresses inside the script and away from the html
* allows use of several different recipient email addresses upon user selection
* allows customisable bans depending on referrer

rogerd

6:16 pm on Oct 16, 2002 (gmt 0)

WebmasterWorld Administrator 10+ Year Member



More advice: There seem to be an increasing number of exploits directed at form and mail processing scripts. It's a good idea to avoid standard installs, i.e., don't use the default directory location, rename the script if possible, etc. Most of these attacks are automated and fairly unimaginative, so a few simple precautions will prevent most problems. In addition, make sure you have the latest version of the script - several popular mail scripts have been updated in recent months to close security holes.

jatar_k

6:23 pm on Oct 16, 2002 (gmt 0)

WebmasterWorld Administrator 10+ Year Member



keep in mind that scripts can also be stored above the root level of your site. Thus making them more inaccessible.

KakenBetaal, I think you are looking at something fairly customized but just start searching for mail scripts on google in the desired language. You could look at hotscripts.com, they have a bunch of different things there.

KakenBetaal

6:56 pm on Oct 16, 2002 (gmt 0)

10+ Year Member



Thanks, jatar_k, I've looked at both your suggestions already and also searched here on WebmasterWorld. There are many to choose from, which is why I'm looking for a recommendation here. After all, WebmasterWorld is *the* place to come for advice from top notch people. :)

jatar_k

7:00 pm on Oct 16, 2002 (gmt 0)

WebmasterWorld Administrator 10+ Year Member



From the level of customization you are looking for you probably won't find much that will fit as is. You will either have to take something that is close and tweak it yourself or just get someone to write it for you.

Though you never know, keep looking if it doesn't need to be done tomorrow.

Marcia

7:00 pm on Oct 16, 2002 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



There are improved replacements for some of the old standard Matt Wright scripts, like nms-formmail at sourceforge [nms-cgi.sourceforge.net] done up by the London Perl Mongers [london.pm.org].

It's a little more complicated, but there are some built-in security features, and it's an on-going project, which makes it a comfortable situation.

Paully

7:07 pm on Oct 16, 2002 (gmt 0)



Just my $.02.

I think all should be wary of "free scripts" or free website software including but not limited to chat, message board, guestbook, blog, and user logging software, etc.

Many contain backdoor hacks, Trojan programs, spyware, etc. and can cost your business alot more than the benefits of using these free scripts.

I agree with jatar_k, read and tweak every single line of code, know what you are implementing, and make sure minimum permissions are granted.

The best solution is to write it yourself, you can use the other scripts as examples.

[edited by: Paully at 7:56 pm (utc) on Oct. 16, 2002]

martin

7:51 pm on Oct 16, 2002 (gmt 0)

10+ Year Member



My advice:

don't use free form mail scripts. They are so simple to build on yourself, you only have to read some docs for a few hours and you can create your own.

Paully

7:59 pm on Oct 16, 2002 (gmt 0)



I agree martin, sending form results through email is usually on the first or second page of the forms section in any web-programming book.