Solved

Exploited  mailer - how to fix  script

Posted on 2006-07-19
5
166 Views
Last Modified: 2013-12-25
I have been thrown into fixing a problem I am not sure I know where to start.

A spammer has been using the cgi-bin/mailer.cgi script to sent spam through my hosting server.  The host has disabled the script, but we would like to reenable it.  

I understand that I need to modify the script to check *all* form variables which are used to generate the email headers and ensure that they do not contain any newline or carriage return characters.

Having said that, I am not a programmer and am not sure how to modify the code.

This is the code in question:

#!/usr/local/bin/perl

use CGI::Carp qw(fatalsToBrowser);
require 'cgi-lib.pl';
&ReadParse(*in);
$today=&Get_Date;
$in{'comments'} =~ s/\015\012/ /g;

# enter who the mail goes to below;
$recip="info\@aw.com";

# URL for the page to be displayed after form submission;
$redirect="http://www.aw.com/thanks_contact.html";

# Path to your mail prog;
$mailprog = '/usr/sbin/sendmail';

# The subject of your mail (In the HIDDEN tag);
$subject="AM Comments";

open(MAIL,"|$mailprog -t");
print MAIL "To: $recip\n";
print MAIL "From: $in{'email'} ($in{'fname'} $in{'lname'})\n";
print MAIL "Subject: $subject\n";
print MAIL<<EOF;
This mail came from the your AM website's contact page:

Name:                        $in{'name'}
E-mail:                   $in{'email'}
Message:                  $in{'message'}

EOF
close MAIL;
open (MAILOG,">>maillog_contact.txt");
print MAILOG "$today|$in{name}|$in{email}|$in{message}|$in{field2}|$in{field3}|\n";
close MAILOG;
print "Location: $redirect\n\n";
exit;
sub Get_Date {
      @days =
        (Sunday,Monday,Tuesday,Wednesday,Thursday,Friday,Saturday);
      @months =
        (January,February,March,April,May,June,
        July,August,September,October,November,December);
      $time = time;
      ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) =
        localtime($time+($HourOffset*3600));
      $year = 1900+$year;
      $mon=$mon + 1;
      $todaydate = "$year/$mon/$mday ";
      $todaydate = $todaydate."$hour\:$min\:$sec";
}

0
Comment
Question by:franco2
  • 2
5 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 17157265
> ensure that they do not contain any newline or carriage return characters.
you better use a whitelist instead of a blacklist to sanatize input, something like:

  $in{'email'} =~ s/[^a-zA-Z0-9\.\@-]//g;

i.g. I'd never sanatize input, but reject it and abort the complete request if does not match my whitelist
0
 

Author Comment

by:franco2
ID: 17157509
Great info - not sure what a whitelist or blacklist are. Would the script look like this?


This mail came from the your AM website's contact page:

Name:                    $in{'name'}
E-mail:                 $in{'email'} =~ s/[^a-zA-Z0-9\.\@-]//g
Message:               $in{'message'}

EOF

Also, does the script need to compile once the problem is fixed. If yes - I do not have perl - how do I make the bin workable.

Again, pardon my ignorance - I am not a programmer.

Thanks in advance.
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 350 total points
ID: 17157645
> not sure what a whitelist or blacklist are.
with a blacklist you allow anything not listed (your aproach), with a whitelist you allow anything listed (in particular that which your defined harmless:).

> Also, does the script need to compile once the problem is fixed.
no, perl is a interpreter
Only if you have fastCGI  or something similar in use, then you need to restart your server.

> Would the script look like this?
not as you did it, more like (a snippet only):

 $in{'fname'}=~ s/[^a-zA-Z'-]//g;
 $in{'lname'}=~ s/[^a-zA-Z'-]//g;
 $in{'email'} =~ s/[^a-zA-Z0-9\.\@-]//g;

Name:                    $in{'name'}
E-mail:                 $in{'email'}
Message:               $in{'message'}
EOF
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This tutorial will discuss the log-in process using WhizBase. In this article I assume you already know HTML. I will write the code using WhizBase Server Pages, so you need to know some basics in WBSP (you might look at some of my other articles abo…
This article is meant to give a basic understanding of how to use R Sweave as a way to merge LaTeX and R code seamlessly into one presentable document.
Learn the basics of modules and packages in Python. Every Python file is a module, ending in the suffix: .py: Modules are a collection of functions and variables.: Packages are a collection of modules.: Module functions and variables are accessed us…
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question