Solved

Exploited  mailer - how to fix  script

Posted on 2006-07-19
5
169 Views
Last Modified: 2013-12-25
I have been thrown into fixing a problem I am not sure I know where to start.

A spammer has been using the cgi-bin/mailer.cgi script to sent spam through my hosting server.  The host has disabled the script, but we would like to reenable it.  

I understand that I need to modify the script to check *all* form variables which are used to generate the email headers and ensure that they do not contain any newline or carriage return characters.

Having said that, I am not a programmer and am not sure how to modify the code.

This is the code in question:

#!/usr/local/bin/perl

use CGI::Carp qw(fatalsToBrowser);
require 'cgi-lib.pl';
&ReadParse(*in);
$today=&Get_Date;
$in{'comments'} =~ s/\015\012/ /g;

# enter who the mail goes to below;
$recip="info\@aw.com";

# URL for the page to be displayed after form submission;
$redirect="http://www.aw.com/thanks_contact.html";

# Path to your mail prog;
$mailprog = '/usr/sbin/sendmail';

# The subject of your mail (In the HIDDEN tag);
$subject="AM Comments";

open(MAIL,"|$mailprog -t");
print MAIL "To: $recip\n";
print MAIL "From: $in{'email'} ($in{'fname'} $in{'lname'})\n";
print MAIL "Subject: $subject\n";
print MAIL<<EOF;
This mail came from the your AM website's contact page:

Name:                        $in{'name'}
E-mail:                   $in{'email'}
Message:                  $in{'message'}

EOF
close MAIL;
open (MAILOG,">>maillog_contact.txt");
print MAILOG "$today|$in{name}|$in{email}|$in{message}|$in{field2}|$in{field3}|\n";
close MAILOG;
print "Location: $redirect\n\n";
exit;
sub Get_Date {
      @days =
        (Sunday,Monday,Tuesday,Wednesday,Thursday,Friday,Saturday);
      @months =
        (January,February,March,April,May,June,
        July,August,September,October,November,December);
      $time = time;
      ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) =
        localtime($time+($HourOffset*3600));
      $year = 1900+$year;
      $mon=$mon + 1;
      $todaydate = "$year/$mon/$mday ";
      $todaydate = $todaydate."$hour\:$min\:$sec";
}

0
Comment
Question by:franco2
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
5 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 17157265
> ensure that they do not contain any newline or carriage return characters.
you better use a whitelist instead of a blacklist to sanatize input, something like:

  $in{'email'} =~ s/[^a-zA-Z0-9\.\@-]//g;

i.g. I'd never sanatize input, but reject it and abort the complete request if does not match my whitelist
0
 

Author Comment

by:franco2
ID: 17157509
Great info - not sure what a whitelist or blacklist are. Would the script look like this?


This mail came from the your AM website's contact page:

Name:                    $in{'name'}
E-mail:                 $in{'email'} =~ s/[^a-zA-Z0-9\.\@-]//g
Message:               $in{'message'}

EOF

Also, does the script need to compile once the problem is fixed. If yes - I do not have perl - how do I make the bin workable.

Again, pardon my ignorance - I am not a programmer.

Thanks in advance.
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 350 total points
ID: 17157645
> not sure what a whitelist or blacklist are.
with a blacklist you allow anything not listed (your aproach), with a whitelist you allow anything listed (in particular that which your defined harmless:).

> Also, does the script need to compile once the problem is fixed.
no, perl is a interpreter
Only if you have fastCGI  or something similar in use, then you need to restart your server.

> Would the script look like this?
not as you did it, more like (a snippet only):

 $in{'fname'}=~ s/[^a-zA-Z'-]//g;
 $in{'lname'}=~ s/[^a-zA-Z'-]//g;
 $in{'email'} =~ s/[^a-zA-Z0-9\.\@-]//g;

Name:                    $in{'name'}
E-mail:                 $in{'email'}
Message:               $in{'message'}
EOF
0

Featured Post

Enroll in July's Course of the Month

July's Course of the Month is now available! Enroll to learn HTML5 and prepare for certification. It's free for Premium Members, Team Accounts, and Qualified Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Batch, VBS, and scripts in general are incredibly useful for repetitive tasks.  Some tasks can take a while to complete and it can be annoying to check back only to discover that your script finished 5 minutes ago.  Some scripts may complete nearly …
This article will show, step by step, how to integrate R code into a R Sweave document
In this fourth video of the Xpdf series, we discuss and demonstrate the PDFinfo utility, which retrieves the contents of a PDF's Info Dictionary, as well as some other information, including the page count. We show how to isolate the page count in a…
In this fifth video of the Xpdf series, we discuss and demonstrate the PDFdetach utility, which is able to list and, more importantly, extract attachments that are embedded in PDF files. It does this via a command line interface, making it suitable …

626 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question