Basically, you're allowing a user to specificy an email address as a
recipient.  There's no reason for that person to get a copy of the
message.  Redirect to a "thank you for message! It has been delivered"
page.  I'm not sure but there might be a way to abuse your pipe to
sendmail.  I'd strip out any non word/digit/punctuation from comments as
a safety.  Also, tell your ISP to install a Mail::* module.  I don't
like giving a pipe to sendmail over CGI.  Sendmail is riddled with
horrid security problems, and giving a user the ability to send
malicious data to sendmail client isn't something I'd recommend.

You're re-inventing the wheel, and in this case, its dangerous, try:
http://search.cpan.org/~markov/MailTools-1.60/
http://search.cpan.org/~mivkovic/Mail-Sendmail-0.79/

I'd recommend MailTools primarily as its in the Top 10 of the Phalanx
100.  Mail::Sendmail is Tier 3.

See: http://qa.perl.org/phalanx/distros.html

These modules are heavily audited and trustworthy.  Since you have your
ISPs ear at the moment with the abuse complaints, this would be a
perfect opportunity to go "Install MailTools, its an important step to
keeping this from happening again."


On Wed, Feb 11, 2004 at 03:21:24PM -0600, Camilo Gonzalez wrote:
> 
> Eek! I've been told by my ISP that my Perl script to email myself and 
> the user of my form the contents on my contact form has been hijacked by 
> a spammer. My ISP has been deluged by recipients with complaints. Where 
> have I gone wrong? Please be kind, this is a beginners' list after all.
> 
> #!/usr/local/bin/perl -wT
> use CGI::Carp qw(fatalsToBrowser);
> use strict;
> use CGI;
> my $cgiobj = new CGI;
> $ENV{PATH} = "";
> 
> #Get parameters
> my $name = $cgiobj->param('name');
> my $address = $cgiobj->param('address');
> my $email = $cgiobj->param('email');
> my $comments = $cgiobj->param('comments');
> 
> #send emails to Camilo and sender
> my $from ='Opensourceman';
> my $subject = 'Contact Confirmation from Opensourceman';
> my $reply = '[EMAIL PROTECTED]';
> my $sendmail = '/usr/lib/sendmail -i -t';
> open (SENDMAIL, "|$sendmail") or die "Cannot open sendmail: $!";
> print SENDMAIL "To: $email, $reply\n";
> print SENDMAIL "From: $from\n";
> print SENDMAIL "Reply-to: $reply\n";
> print SENDMAIL "Subject: $subject";
> print SENDMAIL "\n\n";
> print SENDMAIL "Thanks for contacting Opensourceman. Below is what you 
> submitted to us:\n
>                Name: $name\n
>                Address: $address\n
>                Email: $email\n
>                Comments: $comments \n\n 
>                We will be contacting you shortly";
> close(SENDMAIL);
> 
> 
> -- 
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> <http://learn.perl.org/> <http://learn.perl.org/first-response>
> 
> 

-- 
Brad Lhotsky <[EMAIL PROTECTED]>

-- 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
<http://learn.perl.org/> <http://learn.perl.org/first-response>


Reply via email to