mysterious line in my script - what does it all mean?

[Mumia W. (on aioe)]

Well,
The RFC's for smtp details the smtp protocol which includes format of
the headers.
The headers should terminate with CRLF.
Modules like Mail::Sender should adhere to the smtp protocol defined in
the RFC's.

With those 3 points in mind, it would *seem* to me if I set
Mail::Sender's 'from' = "(e-mail address removed)\nCC: (e-mail address removed)",
either Mail::Sender should either:
generate an error,
use the 'from' value in it's entirety as the 'from' header,
truncate after the first newline,
or everything past newline is ignored when creating the smtp commands.

I installed Mail::Sender just to test this.

No matter what, it's dangerous to not validate input. Getting
Mail::Sender to spam unintended recipients is more difficult, but it is
possible.

In the case of Maxwells' original program, the spammer's primary target
would be sendmail. In the case of a program that uses Mail::Sender
without validation, the spammer's primary target would be SMTP.

What I mean to say by this is that, in one case, the CGI parameter "s"
is set to something that is likely to be (mis)interpreted by sendmail,
and in the second case, "s" is set to something that is likely to be
misinterpreted by a SMTP server.

My choice would be use the 'from' value in it's entirety as the 'from'
header. IMO, sendmail should never be called via cgi which would also
prevent 2000-byte binaries from causing sendmail to crash leaving
shell's left open.

I also believe that if we are to get the upper leg on the spammers, we
can not leave the responsibility in the hands of the programmer - as you
state, programmers can be stupid FTTT.

Huh? All of the software we're talking about has been written by
programmers: Perl, sendmail (or exim), Mail::Sender, and Maxwells'
script were all written by programmers. The solution to spam /will/
involve programmers (as well as law enforcement).

Perhaps you might want to argue /which/ programmers will have the most
responsibility. I'm not in a mood to be begin trying to think about that
right now; a programmer is responsible for his or her program. And I
have proven to myself that I can't simply trust Mail::Sender, because it
allows some pretty interesting things to get down to the SMTP level.

 

[Ian Wilson]

This is my script, a simple mailer which is accessed by AJAX. It
receives a POST with the contents of a two-element form:

<insecure mailer script omitted>

I don't know what your script does exactly, but have you considered
using a well scrutinized and tested script such as NMS FormMail?

http://nms-cgi.sourceforge.net/scripts.shtml

If you can use it in place of what you have at the moment, it will
almost certainly deal with security much better than anything the
average perl programmer can come up with (without a *lot* of hard work
and testing).

 

[Ian Wilson]

With all due respect, but this is not quite justified.
There is nothing in maxwells post that implies that his script will be
accessable from the outside. It could very well be that he will be
running it inside his private network or within the intranet of his
school/company.

However it might be embarrassing for maxwells if some joker in his
company used maxwells's mailform to send a rude mail To: CEO; From:
maxwells.

 

[Jürgen Exner]

What exaxtly is the difference? Didn't the programmer write the code?

jue

 

[maxwells]

I don't know what your script does exactly, but have you considered

using a well scrutinized and tested script such as NMS FormMail?

http://nms-cgi.sourceforge.net/scripts.shtml

Thanks for the tip Ian - I am going to install that and check it out

I would never have imagined that my a little bug in my Perl script
would have started such an interesting discussion

Thanks to everybody who has contributed - as I wrote earlier, it has
been a learning experience

 

[maxwells]

I don't know what your script does exactly, but have you considered

using a well scrutinized and tested script such as NMS FormMail?

http://nms-cgi.sourceforge.net/scripts.shtml

Thanks for the tip Ian - I am going to install that and check it out

I would never have imagined that a little bug in my Perl script would
have started such an interesting discussion

Thanks to everybody who has contributed - as I wrote earlier, it has
been a learning experience

 

[Randal L. Schwartz]

Josef> With all due respect, but this is not quite justified.

Josef> There is nothing in maxwells post that implies that his script will be
Josef> accessable from the outside.

"outside" no longer exists. With all the stupid people leaving their
infected windows boxes running 24-7, we now have millions of "owned"
zombie machines all over the net, including *inside* many corporate and
school firewalls.

Plus, the bigger problem is that unless the issue is RAISED with THIS SCRIPT,
others will take it as a model, and use it in a much more public place.
And that will compound the problem.

Consider this script a virus. Consider me the innoculation.

Let me make this perfectly clear in this thread.

DO NOT USE THIS SCRIPT. DOESN'T MATTER IF YOU'RE INSIDE OR OUTSIDE
A "FIREWALL".

It's so *easy* to do it *right*. No point in doing it *wrong*.

{sigh}

print "Just another Perl hacker,"; # the original

 

[Paul Lalli]

What exaxtly is the difference? Didn't the programmer write the code?

Poor choice of words on my part. I meant something along the lines of
a problem with the programmer's logic, not a failure of the language.

Paul Lalli