Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Exploited  mailer - how to fix  script

Posted on 2006-07-19
5
Medium Priority
?
174 Views
Last Modified: 2013-12-25
I have been thrown into fixing a problem I am not sure I know where to start.

A spammer has been using the cgi-bin/mailer.cgi script to sent spam through my hosting server.  The host has disabled the script, but we would like to reenable it.  

I understand that I need to modify the script to check *all* form variables which are used to generate the email headers and ensure that they do not contain any newline or carriage return characters.

Having said that, I am not a programmer and am not sure how to modify the code.

This is the code in question:

#!/usr/local/bin/perl

use CGI::Carp qw(fatalsToBrowser);
require 'cgi-lib.pl';
&ReadParse(*in);
$today=&Get_Date;
$in{'comments'} =~ s/\015\012/ /g;

# enter who the mail goes to below;
$recip="info\@aw.com";

# URL for the page to be displayed after form submission;
$redirect="http://www.aw.com/thanks_contact.html";

# Path to your mail prog;
$mailprog = '/usr/sbin/sendmail';

# The subject of your mail (In the HIDDEN tag);
$subject="AM Comments";

open(MAIL,"|$mailprog -t");
print MAIL "To: $recip\n";
print MAIL "From: $in{'email'} ($in{'fname'} $in{'lname'})\n";
print MAIL "Subject: $subject\n";
print MAIL<<EOF;
This mail came from the your AM website's contact page:

Name:                        $in{'name'}
E-mail:                   $in{'email'}
Message:                  $in{'message'}

EOF
close MAIL;
open (MAILOG,">>maillog_contact.txt");
print MAILOG "$today|$in{name}|$in{email}|$in{message}|$in{field2}|$in{field3}|\n";
close MAILOG;
print "Location: $redirect\n\n";
exit;
sub Get_Date {
      @days =
        (Sunday,Monday,Tuesday,Wednesday,Thursday,Friday,Saturday);
      @months =
        (January,February,March,April,May,June,
        July,August,September,October,November,December);
      $time = time;
      ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) =
        localtime($time+($HourOffset*3600));
      $year = 1900+$year;
      $mon=$mon + 1;
      $todaydate = "$year/$mon/$mday ";
      $todaydate = $todaydate."$hour\:$min\:$sec";
}

0
Comment
Question by:franco2
  • 2
3 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 17157265
> ensure that they do not contain any newline or carriage return characters.
you better use a whitelist instead of a blacklist to sanatize input, something like:

  $in{'email'} =~ s/[^a-zA-Z0-9\.\@-]//g;

i.g. I'd never sanatize input, but reject it and abort the complete request if does not match my whitelist
0
 

Author Comment

by:franco2
ID: 17157509
Great info - not sure what a whitelist or blacklist are. Would the script look like this?


This mail came from the your AM website's contact page:

Name:                    $in{'name'}
E-mail:                 $in{'email'} =~ s/[^a-zA-Z0-9\.\@-]//g
Message:               $in{'message'}

EOF

Also, does the script need to compile once the problem is fixed. If yes - I do not have perl - how do I make the bin workable.

Again, pardon my ignorance - I am not a programmer.

Thanks in advance.
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 1400 total points
ID: 17157645
> not sure what a whitelist or blacklist are.
with a blacklist you allow anything not listed (your aproach), with a whitelist you allow anything listed (in particular that which your defined harmless:).

> Also, does the script need to compile once the problem is fixed.
no, perl is a interpreter
Only if you have fastCGI  or something similar in use, then you need to restart your server.

> Would the script look like this?
not as you did it, more like (a snippet only):

 $in{'fname'}=~ s/[^a-zA-Z'-]//g;
 $in{'lname'}=~ s/[^a-zA-Z'-]//g;
 $in{'email'} =~ s/[^a-zA-Z0-9\.\@-]//g;

Name:                    $in{'name'}
E-mail:                 $in{'email'}
Message:               $in{'message'}
EOF
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this tutorial I will show you how to provide a dynamic RTF document on your website generated with data from your database. For this tutorial you will need Microsoft Word or WordPad, WhizBase and Microsoft Access. In this tutorial I will show …
Batch, VBS, and scripts in general are incredibly useful for repetitive tasks.  Some tasks can take a while to complete and it can be annoying to check back only to discover that your script finished 5 minutes ago.  Some scripts may complete nearly …
In this fifth video of the Xpdf series, we discuss and demonstrate the PDFdetach utility, which is able to list and, more importantly, extract attachments that are embedded in PDF files. It does this via a command line interface, making it suitable …
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…
Suggested Courses

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question