Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

small FORM ISE 2

Status
Not open for further replies.
sulfericacid

sulfericacid

Programmer
Aug 15, 2001
244
US
Hello everyone,

I am getting an internal server error (ISE) when trying to run my perl form. The script is below, please let me know if you notice any bugs which may have caused it to be non functional.

Thanks.

script:
#!/usr/bin/perl
print "Content-type: text/html\n\n";

######################################################################
##########################VARIABLES/MUST EDIT########################

# Change with your email account
$adminemail='sulfericacid@qwest.net';

# Change to correct path of sendmail
$sendmail='/usr/sbin/sendmail';

# Homepage url, do not link to form, use your index. Ie. "$homepage='
# Change to enclosure. Ie. "Sincerly yours"
$thanks='Thank you for visiting our site, please come again!';

# Change to autoresponse.
$autoresponse ='This is an autoresponse from SpyderSubmission. Your message was received. If you are awating a response, please allow upto 8 hours';

use CGI qw:)standard) ;

my $adminemail = param("adminemail");
my $webmastername = param("webmastername");
my $recipientemail = param("recipientemail") ;
my $visitorname = param("visitorname");
my $weburl = param("weburl");
my $subject = param("subject");
my $subject2 = param("subject2");
my $message = param("message");
my $autoresponse = param("autoresponse");


######################################################################
#######################EMAIL TO VISITOR/DON'T EDIT######################
open(MAIL,"|$sendmail -t");
print MAIL "To: $recipientemail\n";
print MAIL "From: $adminemail\n";
print MAIL "Subject: $subject\n";
print MAIL "Greetings, $visitorname\n\n";
print MAIL "$autoresponse\n\n";
print MAIL "You wrote-$message\n\n";
print MAIL "$thanks\n";
print MAIL "$webmastername\n";
print MAIL "mailto:$adminemail\n";
print MAIL "$homepage\n";
close(MAIL);

######################################################################
#######################EMAIL TO ADMIN/DON'T EDIT#######################
open(MAIL,"|$sendmail -t");
print MAIL "To: $adminemail\n";
print MAIL "From: $recipientemail\n";
print MAIL "Subject: $subject2\n";
print MAIL "Name- $visitorname\n";
print MAIL "Email- $recipientemail\n";
print MAIL "URL- $weburl\n";
print MAIL "Message- $message\n";
close(MAIL);

######################################################################
#############################Page Printing############################
print <<&quot;EOF&quot;;

<!DOCTYPE html PUBLIC &quot;-//W3C//DTD HTML 4.0 Transitional//EN&quot;>
<html>
<head>
<title>SpyderSubmission- Professional Submission and Marketing Services</title>

<META NAME=&quot;Keywords&quot; CONTENT=&quot;submission,promotion,website,site,free,e-business,search engines,url submission,url,search,engines,increase,traffic,web site promtion,submissions,nothernlight,hotbot,google,search engine promotion,higher ranking,hits,marketing,automatic promotion,banner ads,banner design,aol,professional,services,professional services,web design,custom scripting, custom programming,programming,tutorials&quot;>
<META NAME=&quot;Description&quot; CONTENT=&quot;Free and fee-based website submission/marketing services. Find out how to drive more customers to your site with our state-of-the-art tools!&quot;>
<META NAME=&quot;Author&quot; CONTENT=&quot;Aaron Anderson&quot;>
<META NAME=&quot;Copyright&quot; CONTENT=&quot;SpyderOnline 1999-2003&quot;>
<META NAME=&quot;Creator&quot; CONTENT=&quot;Aaron Anderson&quot;>
<META NAME=&quot;Publisher&quot; CONTENT=&quot;Aaron Anderson&quot;>
<META NAME=&quot;Distribution&quot; CONTENT=&quot;Global&quot;>
<META NAME=&quot;Rating&quot; CONTENT=&quot;General&quot;>
<META NAME=&quot;Robots&quot; CONTENT=&quot;All&quot;>
<META NAME=&quot;Revisit-After&quot; CONTENT=&quot;7 Days&quot;>
<LINK REV=made href=&quot;mailto:sulfericacid@spydersubmission.com&quot;>
<link rel=&quot;STYLESHEET&quot; type=&quot;text/css&quot; href=&quot; </head>


<body>

<table width=&quot;99%&quot; summary=&quot;header&quot; align=&quot;center&quot; cellpadding=&quot;0&quot; cellspacing=&quot;0&quot;>
<tr>

<td width=&quot;50%&quot;> <img src=&quot; alt=&quot;Logo&quot; width=&quot;96&quot;><br>
</td>
<td width=&quot;50%&quot; align=&quot;center&quot;>
<! --- add banner here --->
</td>
</tr>
</table>
<table summary=&quot;&quot; width=&quot;99%&quot; height=&quot;15&quot; cellpadding=&quot;0&quot; cellspacing=&quot;0&quot; border=&quot;0&quot; align=&quot;center&quot;>
<tr>
<td class=&quot;s&quot;> 

</td>
</tr>
</table>
<table summary=&quot;&quot; width=&quot;99%&quot; cellpadding=&quot;4&quot; cellspacing=&quot;0&quot; border=&quot;0&quot;>
<tr>

<td width=&quot;50%&quot;>  <a href=&quot; <td width=&quot;50%&quot; align=&quot;right&quot;>
</td>
</tr>
</table>
<table summary=&quot;&quot; width=&quot;99%&quot; height=&quot;32&quot; cellpadding=&quot;0&quot; cellspacing=&quot;0&quot; border=&quot;0&quot; align=&quot;center&quot;>
<tr>

<td class=&quot;t&quot;>  <a href=&quot; <img src=&quot; alt=&quot;&quot;>
<a href=&quot; <img src=&quot; alt=&quot;&quot; border=&quot;0&quot;>
<a href=&quot; <img src=&quot; alt=&quot;&quot;>
<a href=&quot; <img src=&quot; alt=&quot;&quot;>
<a href=&quot; target=&quot;_blank&quot;>Order</a>
<img src=&quot; alt=&quot;&quot;> <a href=&quot; </td>
</tr>
</table>
<!--BODY starts here-->
<table width=&quot;99%&quot; height=&quot;250&quot; align=&quot;center&quot; summary=&quot;Body&quot;>
<tr>
<td>
<center><p><font color=blue>Thank You!</font></p></center>
<p></p>
<p></p>
<p>Your submission was received and is currently being processed. If you are awaiting for a response, please allow up to 5-8 hours.</p>
<p></p>
<p>In the mean time, why not check out the rest of the site? We have many things to offer for the designing of websites and the submission/marketing of businesses.</p>
<p></p>
<p>Regards,</p>
<p>President</p>
<p><a href=&quot;mailto://sulfericacid@qwest.net&quot;>Aaron Anderson</a></p>
</td>
</tr>
<tr>
<td align=&quot;center&quot;><img src=&quot; src=&quot; src=&quot; src=&quot; src=&quot; src=&quot; </td>
</tr>
</table>
<!--BODY ends here-->
<table width=&quot;99%&quot; height=&quot;32&quot; cellpadding=&quot;0&quot; cellspacing=&quot;0&quot; border=&quot;0&quot; summary=&quot;footer&quot;>
<tr>

<td class=&quot;t&quot;>  <a href=&quot; <img src=&quot; alt=&quot;&quot;> <a href=&quot; Gen </a> <img src=&quot; alt=&quot;&quot;>
<a href=&quot; Analysis </a> <img src=&quot; alt=&quot;&quot;>
<a href=&quot; Scripts</a>
<img src=&quot; alt=&quot;&quot;> <a href=&quot; <img src=&quot; alt=&quot;&quot;> <a href=&quot; Research</a> </td>
</tr>
</table>
<br>

<table width=&quot;99%&quot; summary=&quot;footer&quot;>
<tr>
<td>
<!-- Replace the contact information below with your site's information. You may remove the Powered By Free Site Templates but I always appreciate a link -->

<p>© SpyderSubmission. SpyderSubmission.com, the domain, and all content in part or in whole is copyright SpyderSubmission 1999-2002. No portion of this site may be reproduced without prior consent from district offices. Page design by SpyderOnline.
</td>
</tr>
</table>
</body>
</html>

EOF
 
Sort by date Sort by votes
sulphuricacid,

First and foremost, here's the obligatory FAQ reference:
Now, having gotten that out of my system, I've seen three causes for this:

1. Perl is not where it's supposed to be according to the shebang line. Use
Code: 
which perl
to verify the location of your copy of Perl.

2. The script is not outputting a proper content type heard followed by two newlines. You're doing this, however, I note that you're using the CGI.pm module. Given this, please take a moment to review
Code: 
perldoc CGI
. That shows the preferred way to print the header and also shows how to prevent multiple headers from being printed.

3. There is something wrong with your script that prevents it from running. Here are some strategies to use to determine what (in no particular order):

a) Change your shebang line to
Code: 
#!/usr/bin/perl -wT

This enabled warnings and taint mode, which will a) alert you to sloppy or confusing programming practices and b) help prevent people from misusing your system through your script. For more information, please review perlfaq9.

b) Add this line immediately after the shebang line:

Code: 
use strict;

This imposes a number of coding practises and wil almost certainly help you troubleshoot the real problem by correcting the code that leads to it.

c) Trigger the error and then review the error log, e.g.
Code: 
tail /var/logs/wherever/your_error.log
. If you don't know where your logs are stored, contact your administrator.

d) Try running your script from your command line with the following command (assuming you've made the earlier changes):
Code: 
perl -wTc scriptname.pl
(or whatever you're calling it). If you get a prompt for name/value pairs, press Ctrl+D (Unix) or Ctrl+Z (Windows). Most likely, you'll get an error message.

These steps will help you locate the error and write a more secure application. However, there are some other random things to consider:

1. You are allowing the script to specify the email address for the administrator and the recipient. This means your script will be a spammer's paradise, because they can easily spoof these settings using commonly available tools and then use your server to relay spam to other people.

This will, of course, annoy your admin to no end. (I know; I've been there).

This is a common failing of &quot;free&quot; template scripts, including the oft-used formmail.pl (which is a known security hazard).

Don't do this.

Instead, you should either hardcode these addresses in your scripts (and prevent people from reading the source) _or_ (my preference) store that information in either a database or a configuration file stored outside of your public document path. Thus, only your script knows the addresses, not the browser sending the messages.

2. You are not checking the return values to sendmail. Not a good idea. How do you know whether or not the message was sent?

3. I note that your copyright is tagged 2003. If you're channelling this from the future, please post the trading prices of the Fortune 500 so we can all benefit. :)

Secure CGI programming is not overly difficult, however, it's also something that needs careful thought. I highly recommend &quot;Writing CGI Applications with Perl&quot; (ISBN: 0201710145), which is designed to demonstrate secure CGI programming practices. It's also ~$32/US at and well worth the investment.

hope this helps...

-- Lance
 
Upvote 0 Downvote
Try escaping the '@' in the email address.


sulfericacid\@qwest.net


 
Upvote 0 Downvote
footpad,

Thanks for all that information! I have not tried changing anything yet, but I bet the error will be solved within the links or message you sent.

I must say I am really new to perl but I am trying to start by making a few small programs.

I never thought about how anyone could use this as a spammers tool. The script will hold the email addresses, no one else can view the source and see them. How could this still be used as spam? That did generate an idea for me, which will take a while to figure out how this is done. I will end up making probably 4 files in my completed zip file for people to download. 1)form.pl 2)setup.pl (this will store the common configs such as email addresses) 3)Header.html 4)Footer.html

Do you think splitting them up in different files is a good idea? Does it increase the security?

This is copyright 2002 for the present script but will be 2003 by the time the real functional script is out. I will start a new website with free cgi scripts designed by us. After a while and used to perl we are planning on making larger and complex scripts we hope to sell. This one will definately be free.

Thanks for your help!

sulfericacid
 
Upvote 0 Downvote
Poplarman,

Thanks for the tip. Some people tell me you need to escape email addresses while others say you don't have to.

Does this depend on how the script is written or should you always escape them?

Thanks.

Aaron

 
Upvote 0 Downvote
escape @ symbol when double quoting not when single quoting
 
Upvote 0 Downvote
sulfericacid,

>> How could this still be used as spam?

Your main problem lies with these two lines:

Code: 
print MAIL &quot;To: $recipientemail\n&quot;;
#...
print MAIL &quot;To: $adminemail\n&quot;;

You are not validating the data in any way. You're not checking to see if it's a valid email address or even one that you're expecting. This means that your current script will happily send messages to any old address submitted by the browser, even addresses containing sets of multiple addresses separated by commas.

This becomes a spammers' tool because it's trivial to write a program to submit CGI requests that are sent without displaying your web page, meaning I can write another Perl script (using the LWP CPAN module) to tell your script to send email.

In turn, this means I can send a lot of CGI requests in short order.

I've never done this, but others have. There is, for example, a similar script called formmail that has a very similar design (and flaw) to yours. A lot of people use this on their websites to send feedback.

Spammers look for web sites that have the formmail.pl script installed and available. When they find one, they send a test message to see if it sends email to other places. Once they determine that it does, they fire up their automated tools and go to town.

In very short order, your administrator will start receiving a firestorm of bounced messages and angry replies.

I've watched it happen. Since you're looking to send one message to the person submitting their site. I would suggest you create a database, log their email address and other vitals, and then check to see if you've already received their submission within a reasonable time frame.

If so, I'd display a page explaining that they'd already submitted their vitals, the date you sent them on, and so forth.

The main idea is to look for ways that people can make your script do things you didn't think of. In this case, I can use your current incarnation to send email to other people, lots of other people.

For example, suppose I submit a recipient containing multiple addresses? It'll be copied to each and every one. (This is one way that formmail gets abused.)

You might consider taking a look at the free scripts posted at which provide more secure alternatives than many being used. These will be good starting places for your work.

Also, is a good online tutorial for designing CGI scripts well. It's got a bit of attitude, but that's not necessarily a bad thing. This information is rock solid.

Hope this helps...

-- Lance

P.S. One reason I know this about formmail is because I help administer an Web-host and have seen this in action.

Bottom line: don't let the browser provide any more information than absolutely necessary and don't trust any data sumitted as part of the request.
 
Upvote 0 Downvote
Footpad,

Ok, I understand now how it could be used as spam. I never thought about multiple recipients, that could be a problem. I normally use an email validation such as search for @. I have decided to split this into separate files. One for the main configs and one for the script itself. This should help make it a little more secure.

Thanks for all your help!

Aaron
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

dan
  • Locked
  • Question
add a variable to subject in formmail.pl
Replies
6
Views
294
feherke
feherke
Pudsters
  • Locked
  • Question
Online order form to only print items ordered 1
Replies
4
Views
165
Pudsters
Pudsters
Bluejay07
  • Locked
  • Question
Convert Form Feed to new line
Replies
4
Views
228
Bluejay07
Bluejay07
meetme
  • Locked
  • Question
Perl format question
Replies
1
Views
118
1DMF
1DMF
JonathanBrown
  • Locked
  • Question
How pass form input to subroutine from perl script
Replies
1
Views
82
ag1060
ag1060

Part and Inventory Search

Sponsor

Back
Top