Re: cgi-email problem...

99 views
Skip to first unread message
Message has been deleted

Nick Kew

unread,
Aug 1, 2006, 7:01:06 PM8/1/06
to
Joe TG wrote:
> Hi,
>
> I've set up a CGI-Email form located at
> http://www.knoxmachinery.com/new/leadership/index.html

Take that script down right now! What you've described is
a wide open spam tool!

> What I need to know is

some basics of online security.

--
Nick Kew

--
PLEASE NOTE: comp.infosystems.www.authoring.cgi is a
SELF-MODERATED newsgroup. aa.net and boutell.com are
NOT the originators of the articles and are NOT responsible
for their content.

HOW TO POST to comp.infosystems.www.authoring.cgi:
http://www.thinkspot.net/ciwac/howtopost.html

Joe TG

unread,
Aug 2, 2006, 1:25:10 AM8/2/06
to
The website is not really live right now, anyway...


It's only a test site.

How do I secure this?
I was under the impression that CGI-Email was secure?

Help please, not warnings...

Bill Segraves

unread,
Aug 2, 2006, 1:53:54 PM8/2/06
to
"Joe TG" <joe....@gmail.com> wrote in message
news:1154492685.9...@s13g2000cwa.googlegroups.com...

> The website is not really live right now, anyway...
>

Joe,

You're kidding, of course. Your site is indeed live, and open to probing for
vulnerabilities.

You may be interested to know that it does not appear to be vulnerable to
the well-known %0a exploit. I'll leave it to you to confirm this, as it is
your responsibility.

>
> It's only a test site.
>

Yes, and it's apparently open to the world.

> How do I secure this?
> I was under the impression that CGI-Email was secure?
>
> Help please, not warnings...

Well, if you are actually sending the emails that are generated, you have at
least provided a way for launching an attack on your system by flooding same
with bogus email traffic.

Note that Usenet is not a help desk, nor is Google.

Finally, why would you want to expose real email addresses to exploitation
by spammers? You should be employing some other strategy to hide the email
addresses from public view.

Cheers,
--
Bill Segraves

Paul Lalli

unread,
Aug 2, 2006, 2:15:13 PM8/2/06
to
Joe TG wrote:
> The website is not really live right now, anyway...

Uh. You just posted the URL to it. I typed that URL. The server
responded. Just because you don't *want* or *expect* people to go to
that site doesn't mean it's not live. Moreover, you just posted the
URL to the site to a world-wide newsgroup which is archived by a number
of different sites. Your site *is* live, it's out there, and now
you're responsible.

> It's only a test site.

No. A test site is one that can only be accessed internally, and is
not available to the internet at large. Yours is.

> Help please, not warnings...

Er? Warning you that you've done something terribly wrong isn't help?
By what definition?


Paul Lalli

Joe TG

unread,
Aug 11, 2006, 11:52:59 AM8/11/06
to
Whoa...

Help is needed here. I knew something was wrong, but not what. Listen,
I am 16 years old, and a "noob" at this. Thanks for letting me know its
not secure, but, I am not that stupid to leave it wide open to
spammers.

The e-mail addresses aren't the real ones, I was working on that...

The CGI is not set up to actually mail anything yet...

When I do set it up to mail, it does not mail to the Knox Machinery
webmail, but will mail to other web-based e-mails.

I did not come here for warnings, I wanted to find out if theres a
reason for it not sending to my domain...

As you stated,

"Finally, why would you want to expose real email addresses to
exploitation
by spammers? You should be employing some other strategy to hide the
email
addresses from public view."

I did not come here to get help with that...

Please someone answer my original question.

Bill Segraves

unread,
Aug 11, 2006, 2:26:33 PM8/11/06
to
"Joe TG" <joe....@gmail.com> wrote in message
news:1155307940.7...@i42g2000cwa.googlegroups.com...

> Whoa...
>
> Help is needed here.

This is not a help desk.

> I knew something was wrong, but not what. Listen,
> I am 16 years old, and a "noob" at this. Thanks for letting me know its
> not secure, but, I am not that stupid to leave it wide open to
> spammers.
>

On the contrary, you have set up a wide-open spamming tool and given the
world the information they need to employ it.

What is it about Nick Kew's advice that you didn't understand?

> The e-mail addresses aren't the real ones, I was working on that...
>

That doesn't matter. The script you set up can be employed to send
unsolicited email to anyone (except, perhaps, those in your own domain).

> The CGI is not set up to actually mail anything yet...
>

Not true. I just sent myself a test email with it, as well as a test email
to you at your gmail address. Check your gmail to see if there's a test
message from me.

> When I do set it up to mail, it does not mail to the Knox Machinery
> webmail, but will mail to other web-based e-mails.
>

I have no way of confirming this, as I don't have a Knox Machinery email
account.

> I did not come here for warnings, I wanted to find out if theres a
> reason for it not sending to my domain...
>

OTOH, I came here to give you a warning, even though you don't like the news
that is being given to you.

> As you stated,
>
> "Finally, why would you want to expose real email addresses to
> exploitation
> by spammers? You should be employing some other strategy to hide the
> email
> addresses from public view."
>
> I did not come here to get help with that...
>

You've made your point.

Why do you persist in leaving an open email relay in place? Are you really
trying to get Knox Machinery's ISP account cancelled?

> Please someone answer my original question.

O.K. Yes.

--
Bill Segraves

Bill Segraves

unread,
Aug 11, 2006, 2:36:02 PM8/11/06
to
"Joe TG" <joe....@gmail.com> wrote in message
news:1155307940.7...@i42g2000cwa.googlegroups.com...
> Whoa...
<snip>
> ... I wanted to find out if theres a

> reason for it not sending to my domain...

<snip>

See "9. Debug if you don't get mail" at
http://web.mit.edu/wwwdev/cgiemail/user.html

Now, please get that spam relay shut down.
--
Bill Segraves

Chris F.A. Johnson

unread,
Aug 11, 2006, 2:41:12 PM8/11/06
to
On 2006-08-01, Joe TG wrote:
> Hi,
>
> I've set up a CGI-Email form located at
> http://www.knoxmachinery.com/new/leadership/index.html
>
> What I need to know is this...
>
> When I set up the option in the drop down menu, i set the value to the
> e-mail address, then in the cgi file, the "To:" was followed by
> [email]. (The names are correct...)
>
> When sending to a web-based e-mail address, the message will go through
> right away.
>
> BUT, when sending to my own domain (@knoxmachinery.com) the message
> does not go through, even though I do not receive an error.
>
> Is this because I am trying to send to my own domain? If so, what can I
> do to fix this problem?

Can you send mail to that address by other methods?

> SOURCE OF HTML Form -----------------------------------
>
><form method="post"
>
> action="http://www.knoxmachinery.com/cgi-bin/cgiemail/new/leadership/contact.txt">
> <div align="center">
> <label>Knox Associate:
> <select name="knoxemail" id="knoxemail">
> <option value="jay_r...@msn.com">Joe TEST</option>
> <option value="gk...@knoxmachinery.com">Greg Knox</option>
> <option value="jrat...@knoxmachinery.com">Jay Ratliff</option>
> <option value="gmcg...@knoxmachinery.com">Gregg McGuire</option>
> <option value="dbro...@knoxmachinery.com">Diane Brodbeck</option>
> <option value="hr...@knoxmachinery.com">Heather Rupp</option>
> <option value="tha...@knoxmachinery.com">Tony Harrod</option>
> <option value="nbuc...@knoxmachinery.com">Nathan Buchanan</option>
> <option value="sgar...@knoxmachinery.com">Steve Garbacik</option>
> <option value="dboy...@knoxmachinery.com">Denis Boylson</option>
> <option value="jbett...@knoxmachinery.com">Jeremy Bettinger</option>
> <option value="pma...@knoxmachinery.com">Paul Mackey</option>
> </select>
> </label></div>
> <br />Name*
> <input name="name" type="text" />
> E-mail*
> <input name="email" type="text" />
> <br /><br />Phone:
> <input name="phone" value=" " maxlength="15" />
> Subject*
> <input name="subject" maxlength="25" />
> <br /><br />Comments or Questions*<br />
> <textarea name="comment" cols="55" rows="5"></textarea>
> <p></p>
><p align="center">
> <input name="submit" type="submit" value="Submit" />
> <input name="Reset" type="reset" value="Reset" />
> <input type="hidden" name="success"
> value="http://www.knoxmachinery.com/new/products/used/thanks.html" />
></p>
></form>
>
> SOURCE OF CGI -----------------------------------------------
>
> From: [email]
> To: [knoxemail]
> Subject: [subject]
>
> [name]
> [email]
> Phone Number: [phone]
>
> Comments / Questions: [comment]
>
> -----------------------------------------------------------------------------

That's not a CGI script (it looks like a template).

> Again, this works on all web-based e-mail clients.


--
Chris F.A. Johnson <http://cfaj.freeshell.org>
===================================================================
Author:
Shell Scripting Recipes: A Problem-Solution Approach (2005, Apress)

Joe TG

unread,
Aug 11, 2006, 2:47:42 PM8/11/06
to
You were able to send because I made it live to test it...

Again, all these warnings DO NOT HELP ME... because I do not know
exactly what I am doing. How can I make a secure e-mail form, if not
like this???

Joe TG

unread,
Aug 11, 2006, 3:00:43 PM8/11/06
to


What other sorts of methods? Regular e-mail, yes.

That is a template for the CGI script, which is CGI-Email...

Thanks for trying to help

Paul Lalli

unread,
Aug 11, 2006, 4:19:34 PM8/11/06
to

Joe TG wrote:
> You were able to send because I made it live to test it...

HENCE IT IS A LIVE SITE! What part of that is unclear to you? You
honestly think spammers care if they can only use your site a little
while at a time?

>
> Again, all these warnings DO NOT HELP ME.

GOOD! You are knowingly aiding spammers, and then asking us to help
you. Why should we?! Do what we're asking you to do FIRST, then ask
for help. Until then, no one here feels any compulsion to lift a
finger to help you!

> .. because I do not know
> exactly what I am doing

NO KIDDING! So why the hell do you keep ignoring everything the people
who do know what you're doing are telling you?!

>. How can I make a secure e-mail form, if not like this???

By installing an email form that's NOT a gaping security whole. By
doing a bit of research rather than taking the path of least
resistance.

Paul Lalli

Scott Bryce

unread,
Aug 11, 2006, 4:56:54 PM8/11/06
to
Joe TG wrote:

> How can I make a secure e-mail form, if not like this???

Start here:

http://nms-cgi.sourceforge.net/scripts.shtml

And DON'T use a form that passes the recipient's email address into the
script!

What you are not seeing is that I can write a script that calls your
script repeatedly with different recipient email addresses and sends
those recipients spam. All that spam will appear to come from Knox
Machinery. And guess who gets to clean up the mess? And guess who they
are going to go after for damages when that happens?

Bill Segraves

unread,
Aug 11, 2006, 5:05:06 PM8/11/06
to
"Joe TG" <joe....@gmail.com> wrote in message
news:1155318446....@h48g2000cwc.googlegroups.com...

> You were able to send because I made it live to test it...
>
> Again, all these warnings DO NOT HELP ME... because I do not know
> exactly what I am doing. How can I make a secure e-mail form, if not
> like this???

Joe,

First, you need to learn how to configure your Gmail response, so you can
properly quote the message to which you are replying.

Next, check to see what program is being used to send your email, e.g.,
sendmail. If you're using sendmail, look at the configuration file,
sendmail.cf, to see how sendmail is configured. A Google search for
"sendmail configuration relaying" will produce numerous links to valuable
information for you.

You need to see if "relaying" is turned on for knoxmachinery.com. It is
turned off by default, according to
http://www.sendmail.org/m4/anti_spam.html, which might explain why
knoxmachinery.com is not receiving the email that is sent by cgi-email.

See the section "Configure Relaying" at
http://www.akadia.com/services/sendmail_relay.html for an example.

Note that all of the above information was found by the undersigned via
Google searches. Google and Google Groups are your friends. Ask them before
you ask thousands of people world-wide questions for whcih you should have
been able to find the answer yourself.

Finally, in your template,

From: [email]
To: [knoxemail]
...

change the To: entry to a fixed email address, e.g.,

...
To: [j...@knoxmachinery.com]
...

or whatever is your real email address there. This will eliminate the open
relay for spammers.

DO IT NOW!!!!!

--
Bill Segraves

Bill Segraves

unread,
Aug 11, 2006, 5:20:19 PM8/11/06
to
"Bill Segraves" <segrav...@mindspring.com> wrote in message news:...

> "Joe TG" <joe....@gmail.com> wrote in message
> news:1155318446....@h48g2000cwc.googlegroups.com...
<snip>

> Finally, in your template,
>
> From: [email]
> To: [knoxemail]
> ...
>
> change the To: entry to a fixed email address, e.g.,
>
> ...
> To: [j...@knoxmachinery.com]

CORRECTION: leave out the square brackets, e.g.,

To: j...@knoxmachinery.com

> ...
>
> or whatever is your real email address there. This will eliminate the open
> relay for spammers.
>
> DO IT NOW!!!!!
>

Have you done the above yet? If not, DO IT NOW!!!

Joe TG

unread,
Aug 11, 2006, 8:06:53 PM8/11/06
to
I changed the cgi-bin/cgiemail/... to cgi-echo, which sets it to test
mode, nothing actually gets sent.

Alright, everyone, please take 10 deep breaths before flaming me about
spam. The form has not been live for more than 10 minutes at a time.

I searched Google with my problems before. Like I have said, I am a
noob. (as ALL of you were at one time.)

I came to Google groups with my problem, expecting to receive help.

Since you (not I...) have turned this into a security post, will you at
least help me through this?

My original post had nothing to do with security, but now that I
realize the risks, I would like to fix them.

How can someone hijack the form I used if I set the e-mail it gets sent
to using a drop down menu? I would like this form to be able to send to
the person of their choosing (who is on the list, of course.)

Please help, and stop warning about spam, the forms been disabled for a
long time now...

Bill Segraves

unread,
Aug 11, 2006, 8:37:46 PM8/11/06
to
"Joe TG" <joe....@gmail.com> wrote in message
news:1155337587....@p79g2000cwp.googlegroups.com...

> I changed the cgi-bin/cgiemail/... to cgi-echo, which sets it to test
> mode, nothing actually gets sent.
>

But you didn't delete the offending template, which is still live.

> Alright, everyone, please take 10 deep breaths before flaming me about
> spam. The form has not been live for more than 10 minutes at a time.
>

No one is flaming you about spam. We're simply pointing out to you that what
you're doing is a very bad thing to do.

> I searched Google with my problems before. Like I have said, I am a
> noob. (as ALL of you were at one time.)
>
> I came to Google groups with my problem, expecting to receive help.
>

No, you came to thousands of people who are Usenet users. The fact that
Google groups also post to and archive Usenet newsgroups is irrelevant.

You expected help from Google groups. How many Google subscribers came to
your aid?

> Since you (not I...) have turned this into a security post, will you at
> least help me through this?
>

Yes.

> My original post had nothing to do with security, but now that I
> realize the risks, I would like to fix them.
>

O.K. What about following the advice that was given to you? You should not,
NO, MUST NOT, put a user-supplied email address in the "To:" field in your
template.

You haven't grasped the significance of this advice. Actually, you shouldn't
allow user-supplied data in ANY of the headers in your template, because you
can't be sure that the mail software has been patched to prevent the %oa
exploit from changing your headers.

> How can someone hijack the form I used if I set the e-mail it gets sent
> to using a drop down menu?

By not using your drop-down menu.

> I would like this form to be able to send to
> the person of their choosing (who is on the list, of course.)
>

One way to do this would be to use a unique form for each addressee, each of
which would have a unique template.

> Please help, and stop warning about spam, the forms been disabled for a
> long time now...

Hmm. The cgiemail template has been active every time I've tried it. Why
don't you just fix it so it sends the email just to you? Then you'll
eliminate the problem you're having with getting unsolicited advice.

Back to your original question. Did you check the configuration of the mail
program on your server? Is it sendmail? Or smail?

--
Bill Segraves

Paul Lalli

unread,
Aug 11, 2006, 8:33:03 PM8/11/06
to
Joe TG wrote:
> I changed the cgi-bin/cgiemail/... to cgi-echo, which sets it to test
> mode, nothing actually gets sent.
>
> Alright, everyone, please take 10 deep breaths before flaming me about
> spam. The form has not been live for more than 10 minutes at a time.

My god. Stop trying to defend what you did, and just accept that it
was wrong. Why are you so damned concerned about people bruising your
ego about your mistake?

> I searched Google with my problems before. Like I have said, I am a
> noob. (as ALL of you were at one time.)

I have no idea what makes you think that's a justifiable excuse for
continuously ignoring the suggestions, recommendations, and requests of
those who are NOT any longer "noob"s.

> I came to Google groups

This is not Google Groups. This is Usenet. Google is nothing more
than an archive of previous Usenet postings and one of about a thousand
different interfaces to Usenet. See that little notice at the top of
each posting page that tells you "you are posting to a Usenet group"?
You should pay attention to that.

> with my problem, expecting to receive help.

YOU DID receive help. Just because it was not the help you were
originally going for does not mean it wasn't help. Stop insulting the
help you've received and the people who've given it to you.

> Since you (not I...) have turned this into a security post,

YOU should have made it a security post right from the start. That's
the point everyone's trying to make with you. An analogy: You posted
about a car that has no breaks, asking how to go about making it turn
right. People are screaming at you to stop driving the car until you
put breaks on it, and you're getting pissy that they "won't help" you
with the steering.

> will you at least help me through this?
>
> My original post had nothing to do with security, but now that I
> realize the risks, I would like to fix them.
>
> How can someone hijack the form I used if I set the e-mail it gets sent
> to using a drop down menu?

You are under a massive misconception that people need to use your form
in order to access your CGI script. They do not. Anyone can send any
HTTP request - POST or GET - to your script. Your form is only 1 way
to get to it.

> I would like this form to be able to send to
> the person of their choosing (who is on the list, of course.)

Then you put that in the code of the cgi script. You require that the
recipient chosen is a valid recipient. That must be at the CGI script
level. Putting it in the form does nothing.

> Please help, and stop warning about spam, the forms been disabled for a
> long time now...

The form has been disabled or the CGI script has been disabled? Those
are two massively different things.

Paul Lalli

Joe TG

unread,
Aug 11, 2006, 9:06:57 PM8/11/06
to
So, is there a problem with security in the CGI-Email script, or just
with my template?

Bill Segraves

unread,
Aug 12, 2006, 12:17:10 AM8/12/06
to
"Joe TG" <joe....@gmail.com> wrote in message
news:1155341194.1...@p79g2000cwp.googlegroups.com...

> So, is there a problem with security in the CGI-Email script, or just
> with my template?

JOE!

You're sending a question to thousands of people, with no clue as to the
context. How about using the quoting that Google provides for you?

The problem with your template is/was that you used a user-provided email
address in the To: header. Don't do that!!!!!!!
--
Bill Segraves

Scott Bryce

unread,
Aug 12, 2006, 12:44:01 AM8/12/06
to
Joe TG wrote:
> So, is there a problem with security in the CGI-Email script, or just
> with my template?


I don't know anything about cgi-email. (I am assuming that cgi-email is
the name of a particular script.) I can't answer the question you asked.
I will say this, though someone else has already said it...

Your script MUST NOT send email to an email address that was passed to
it. That is the security risk.

You are overlooking the fact that one need not use your form to call
your script. As I mentioned earlier, I can write a script that will call
your script repeatedly with different email addresses sending spam to
each address and looking like the spam came from Knox Machinery. I don't
have to go to your site to do this. I could run the script from the
machine that is sitting on my desk. Or I could run it from my laptop
while connected to the internet via WiFi at the library.

Use your drop down list to allow a user to select a recipient, but DON'T
PASS THE EMAIL ADDRESS INTO THE SCRIPT! Pass some identifier that will
tell the script who the intended recipient is. The script will compare
this identifier with a list of acceptable identifiers, then determine
the recipient's email address based the identifier.

Yes, we were all noobs once. And I made a lot of mistakes as a noob. (I
probably still do. I'm still learning) If I had run into this thread
when I was a noob, I would have learned what I could from it and
re-written my formmail scripts based on the advice in the thread.

Bruce Lewis

unread,
Aug 13, 2006, 11:29:12 PM8/13/06
to
"Joe TG" <joe....@gmail.com> writes:

> So, is there a problem with security in the CGI-Email script, or just
> with my template?

The security problem in your case can be fixed by changing your
template. One could argue, though, that cgiemail's design is wrong to
allow you to make the template you made.

In 1995, when I first released cgiemail, spam was a marginal problem.
Most email messages were not spam, and a lot of people reported every
single piece of spam they received, since it wasn't a lot of work. In
that environment, cgiemail's insertion of a Received: header to show
where the HTTP request came from was sufficient.

Today it doesn't matter if you know where the spam is coming from. It
swarms in like locusts from all kinds of places, and swatting it down
doesn't seem effective. A lot of people, especially those who remember
the days before spam, are upset about this, so you can expect heated
responses when you open up a potential channel for spam.

Usenet is a very useful medium, but you have to be thick-skinned.

There is a way to use cgiemail with a dropdown box, if and only if the
addresses to be chosen are the same except for a short substring. For
example, bo...@example.com, bo...@example.com, bo...@example.com.

In your form the values for the input "box" would be "1", "2" and "3".
Then in your template you could put To: box[%-1.1s,box]@example.com
without opening things up to spam.

--

http://ourdoings.com/ Easily organize and disseminate news and
photos for your family or group.

Reply all
Reply to author
Forward
0 new messages