Homework Help; Internet Server Environments-FormMail and CGI scripts?

[thumpers_311]

I am trying to follow all the guidelines to modify Perl CGI script FormMail. This is a homework assignment however I am not confident I am doing it right. I understand the modifications of Perl script that i need to modify however after downloading and extracting the FormMail.Pl file and opening it in note pad the script isn't as specific as the instructions.

Below are the outline instructions following that I have copied and pasted the modifications I made. Would some one please take a minute to look it over and tell me if I am doing this correctly?

Instruction:You'll need to modify,

-$mailprog-defines the path of the sendmail program on your Unix system

-@referers-allows forms to be located only on servers which are defined in the field. ENTER "199.224.80.134"

-@recipients-n defines the e-mail addresses or domain names that e-mail can be sent to. Set one of the email addresses as "edserve@penn.com"

-@valid_ENV- allows the sysadmin to define what environment variables can be reported via the env_report directive Add the ENV variable "HTTP_REFERER to the script that will provide the URL a user was submitting from.


Modification:

#!/usr/bin/perl
##############################################################################
# FormMail Version 1.93 #
# Copyright 1995-2009 Matt Wright mattw@scriptarchive.com #
# Created 1995-06-09 Last Modified 2009-07-14 #
# Matt's Script Archive, Inc.: http://www.scriptarchive.com/ #
##############################################################################
# COPYRIGHT NOTICE #
# Copyright 1995-2009 Matthew M. Wright All Rights Reserved. #
# #
# FormMail may be used and modified free of charge by anyone so long as this #
# copyright notice and the comments above remain intact. By using this #
# code you agree to indemnify Matthew M. Wright from any liability that #
# might arise from its use. #
# #
# Selling the code for this program without prior written consent is #
# expressly forbidden. In other words, please ask first before you try and #
# make money off of my program. #
# #
# Obtain permission before redistributing this software over the Internet or #
# in any other medium. In all cases copyright and header must remain intact. #
##############################################################################
# ACCESS CONTROL FIX: Peter D. Thompson Yezek #
# XSS + REDIRECT FIX: Francesco Ongaro, Giovanni Pellerano & Antonio Parata #
# v1.93 http://www.ush.it/team/ush/hack-formmail_192/adv.txt #
##############################################################################
# Define Variables #
# Detailed Information Found In README File. #

# $mailprog defines the location of your sendmail program on your unix #
# system. The flags -i and -t should be passed to sendmail in order to #
# have it ignore single dots on a line and to read message for recipients #

$mailprog = '/usr/lib/sendmail -i -t';

# @referers allows forms to be located only on servers which are defined #
# in this field. This is a security fix to prevent others from using your #
# FormMail script on their web site. #

@referers = ('scriptarchive.com','199.224.80.134');

# @recipients defines the e-mail addresses or domain names that e-mail can #
# be sent to. This must be filled in correctly to prevent SPAM and allow #
# valid addresses to receive e-mail. Read the documentation to find out how #
# this variable works!!! It is EXTREMELY IMPORTANT. #
@recipients = &fill_recipients(edserv@penn.com);

# ACCESS CONTROL FIX: Peter D. Thompson Yezek #
# @valid_ENV allows the sysadmin to define what environment variables can #
# be reported via the env_report directive. This was implemented to fix #
# the problem reported at http://www.securityfocus.com/bid/1187 #

@valid_ENV = ('REMOTE_HOST','REMOTE_ADDR','REMOTE_USER','HTTP_USER_AGENT');

# Done #
##############################################################################
Thanks Chris for your advice, I will definitely put it in my tool box for future knowledge. This seems to be much more difficult than I expected. Unfortunately for this one as outlined in the assignment instructions and guidelines I have to use Matt Scripts!

[Chris D]

"Matt's Scripts" as they were known, contain some or the worst coding practice's around. If you look at his website he explains he used many of these scripts as a learning exercise.

As a result many of them - including FormMail - have holes in that allow attackers to take advantage.

Instead of using Matt's Scripts, use NMS ("not Matt's scripts") for working replacements written with good coding style and customisability in mind.