Loading ...
Sorry, an error occurred while loading the content.
 

Re: [PBML] web form vulnerability

Expand Messages
  • Luinrandir Hernsen
    I am also interested in script vulnerability. In the Mailform.pl that found at http://www.scriptarchive.com/ had security written into it... is there anyone
    Message 1 of 6 , Jun 16 8:44 AM
      I am also interested in script vulnerability.

      In the Mailform.pl that found at http://www.scriptarchive.com/
      had security written into it... is there anyone here who would like to research this with me
      so the security could be use and any cgi/perl script.

      Luinrandir
      still learning perl and loving it!


      ----- Original Message -----
      From: kjhseka
      To: perl-beginner@yahoogroups.com
      Sent: Monday, June 14, 2004 2:35 AM
      Subject: Re: [PBML] web form vulnerability


      Hello and thanks for your remply.

      Yes, I know, the script is poor because I'm a beginner in Perl and I
      should to install the script you suggest me.

      But I also would to improve myself and learn to write better
      scripts.

      The first step to improve is understand exactly why my script is very
      poor. I have the following questions :

      1) Can I improve this script, starting from it write a better script
      or perhaps add a securiry function that strips and get rid of any
      special characters such as \n ; ?

      2) Why this solution
      foreach $pair (@pairs)
      {
      ($name, $value) = split(/=/, $pair);
      $value =~ tr/+/ /; #The =~ matches a regular expression with
      another variable rather than $_
      $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
      $value =~ s/<!--(.|\n)*-->//g;
      $value =~ s/<([^>]|\n)*>//g;
      $FORM{$name} = $value;
      }
      doesn't work ?

      So, if I could improve this very bad code at least a bit, it will be
      better than install a someone else script.

      What do you think about that ?

      Alphonse

      --- In perl-beginner@yahoogroups.com, "Charles K. Clarkson"
      <cclarkson@h...> wrote:
      > kjhseka <kjhseka@h...> wrote:
      >
      > : I'm relatively mewbie in Perl and I'm not very expert with it.
      > : Consequentely I have a big problem with my web form processing
      > : script. The problem is : the form is unsecure. Spammers use
      > : the form in the web to send a lot of spam.
      > :
      > : Spammers send SPAM using my send email form. They write something
      > : like this
      > :
      > : \nBCC:<a lot of email>
      > :
      > : Somewhere of my form, probably in the email field. You can see an
      > : exemple of this form here :
      > :
      > : http://www.seduction-rapide.com/contact.html
      > :
      > : User from my sites using my scripts can write any info in the
      header
      > : of email form and it's a main problem !
      > :
      > : I tried with :
      >
      > [snipped really bad code]
      >
      > Go get a free script called TFMail from:
      > http://nms-cgi.sourceforge.net/. It has a lot of security
      > features and was written by experts. It will take some time to
      > install, but it is definitely worth it.
      >
      > The script you are using is written very poorly. Delete it.
      > You have run into one very good reason not to keep it around.
      >
      >
      > HTH,
      >
      > Charles K. Clarkson
      > --
      > Mobile Homes Specialist
      > 254 968-8328



      Unsubscribing info is here: http://help.yahoo.com/help/us/groups/groups-32.html


      Yahoo! Groups Sponsor
      ADVERTISEMENT





      ------------------------------------------------------------------------------
      Yahoo! Groups Links

      a.. To visit your group on the web, go to:
      http://groups.yahoo.com/group/perl-beginner/

      b.. To unsubscribe from this group, send an email to:
      perl-beginner-unsubscribe@yahoogroups.com

      c.. Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.



      [Non-text portions of this message have been removed]
    Your message has been successfully submitted and would be delivered to recipients shortly.