RE: Secure Form Script?

From: Glynn Clements (glynn.clements_at_virgin.net)
Date: 05/20/04

  • Next message: Dalibor Straka: "Re: iptables firewall script for debian-woody, 2.4.24"
    Date: Wed, 19 May 2004 23:28:24 +0100
    To: Beth Skwarecki <beth@cz-na.com>
    
    

    Beth Skwarecki wrote:

    > 2) HOWEVER, it's silly to be using sendmail at all, in most cases. This
    > is what the perl module Mail::Sendmail is for. You give it a hash with
    > all the headers you want to send, and it sends directly (it is *not* a
    > wrapper around the sendmail binary; it works on all platforms, even
    > when sendmail is not installed):

    There isn't any mechanism for sending mail which will work on *all*
    platforms. Although executing "sendmail" and feeding it the message on
    stdin is likely to work for almost any Unix system which is actually
    capable of sending mail.

    > http://search.cpan.org/~mivkovic/Mail-Sendmail-0.79/Sendmail.pm

    Looking at that, I see:

            DESCRIPTION

            Simple platform independent e-mail from your perl script. Only
            requires Perl 5 and a network connection.

    The "requires ... a network connection" part might actually be a
    genuine obstacle. It's a safe bet that a network connection that goes
    no further than the firewall isn't likely to suffice.

    Also:

            LIMITATIONS

            ...

            No suport for the SMTP AUTH extension.

    Again, this could be a genuine obstacle in many situations. It's quite
    common for direct outbound connections to be blocked (even from a web
    server), requiring the use of a specific proxy (e.g. for content
    filtering) which may well require the use of SMTP AUTH.

    This is, in large measure, why simply feeding the message to
    /usr/lib/sendmail (or /usr/sbin/sendmail on some Linux systems) is
    often the most reliable option. Whatever specific requirements a site
    may have, if a sendmail binary (or script) exists, it's likely to be
    configured so as to meet them.

    Whilst a direct SMTP connection may be viable in many situations,
    there are others where it isn't. There are situations where it is
    necessary to invoke sendmail (although the issues would seem to apply
    equally to any similar program), and so the question of how to do so
    safely is a valid one.

    Another of the limitations listed for Mail::Sendmail is:

            Headers are not encoded, even if they have accented characters.

    This suggests (I haven't examined the code) that the supplied strings
    *may* be dumped verbatim into the message. If that is the case, and
    you are using user-supplied values from an HTML form, be sure to
    sanitise them first. Otherwise, this could make it trivial for an
    attacker to generate malicious messages. If they can include CR/LF
    characters, they may be able to generate additional headers, as well
    as moving any subsequent headers into the message body.

    > CPAN is your friend. :)

    If I was a black-hat, I might agree with that statement;)

    As I said, I haven't examined the code. But then I'm not actually
    using it to allow anyone to send email from my webserver. Anyone who
    is planning on using it should definitely examine the code.

    -- 
    Glynn Clements <glynn.clements@virgin.net>
    

  • Next message: Dalibor Straka: "Re: iptables firewall script for debian-woody, 2.4.24"

    Relevant Pages

    • Re: Problems configuring cyrus-imapd
      ... I get log messages when sending mail ... entries about it missing. ... I have also noticed one difference in the bsodmikes guide ... > and my results when running the command line sendmail test. ...
      (Fedora)
    • Re: verify if a given email address is exist
      ... sendmail (as in sending mail) issues in general... ... Sendmail in this case is the name of a program, not the act of sending email. ... The VRFY ESMTP verb is often either not implemented or has been disabled for security / anti-spam reasons. ... It is entirely possible that the SMTP server you are trying to use them with does not support it and / or has it disabled. ...
      (comp.mail.sendmail)
    • Re: Starting mysql and sendmail
      ... If your mail system itself (sendmail by default, I think) is working, you ... Make sure that you're sending mail through your localhost machine. ... > into the server, so I hope that is not what you meant. ...
      (Fedora)
    • Re: Problems configuring cyrus-imapd
      ... I get log messages when sending mail ... But I still seem to be missing something, ... I have also noticed one difference in the bsodmikes guide ... >>and my results when running the command line sendmail test. ...
      (Fedora)
    • Re: sendmail newbie question
      ... > I'm trying to understand how to configure sendmail on my fbsd box but hope ... > account to root and receive it fine, but can't send an email to the user ... Depending on how you are sending mail, ...
      (freebsd-questions)