Basically, you're allowing a user to specificy an email address as a recipient. There's no reason for that person to get a copy of the message. Redirect to a "thank you for message! It has been delivered" page. I'm not sure but there might be a way to abuse your pipe to sendmail. I'd strip out any non word/digit/punctuation from comments as a safety. Also, tell your ISP to install a Mail::* module. I don't like giving a pipe to sendmail over CGI. Sendmail is riddled with horrid security problems, and giving a user the ability to send malicious data to sendmail client isn't something I'd recommend.
You're re-inventing the wheel, and in this case, its dangerous, try: http://search.cpan.org/~markov/MailTools-1.60/ http://search.cpan.org/~mivkovic/Mail-Sendmail-0.79/ I'd recommend MailTools primarily as its in the Top 10 of the Phalanx 100. Mail::Sendmail is Tier 3. See: http://qa.perl.org/phalanx/distros.html These modules are heavily audited and trustworthy. Since you have your ISPs ear at the moment with the abuse complaints, this would be a perfect opportunity to go "Install MailTools, its an important step to keeping this from happening again." On Wed, Feb 11, 2004 at 03:21:24PM -0600, Camilo Gonzalez wrote: > > Eek! I've been told by my ISP that my Perl script to email myself and > the user of my form the contents on my contact form has been hijacked by > a spammer. My ISP has been deluged by recipients with complaints. Where > have I gone wrong? Please be kind, this is a beginners' list after all. > > #!/usr/local/bin/perl -wT > use CGI::Carp qw(fatalsToBrowser); > use strict; > use CGI; > my $cgiobj = new CGI; > $ENV{PATH} = ""; > > #Get parameters > my $name = $cgiobj->param('name'); > my $address = $cgiobj->param('address'); > my $email = $cgiobj->param('email'); > my $comments = $cgiobj->param('comments'); > > #send emails to Camilo and sender > my $from ='Opensourceman'; > my $subject = 'Contact Confirmation from Opensourceman'; > my $reply = '[EMAIL PROTECTED]'; > my $sendmail = '/usr/lib/sendmail -i -t'; > open (SENDMAIL, "|$sendmail") or die "Cannot open sendmail: $!"; > print SENDMAIL "To: $email, $reply\n"; > print SENDMAIL "From: $from\n"; > print SENDMAIL "Reply-to: $reply\n"; > print SENDMAIL "Subject: $subject"; > print SENDMAIL "\n\n"; > print SENDMAIL "Thanks for contacting Opensourceman. Below is what you > submitted to us:\n > Name: $name\n > Address: $address\n > Email: $email\n > Comments: $comments \n\n > We will be contacting you shortly"; > close(SENDMAIL); > > > -- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > <http://learn.perl.org/> <http://learn.perl.org/first-response> > > -- Brad Lhotsky <[EMAIL PROTECTED]> -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] <http://learn.perl.org/> <http://learn.perl.org/first-response>
