form-to-email What is acceptable?
I have been informed:
"All versions of formail.pl and recpective variants (clones, cgimail etc.) expect those explicity release by the CPanel Group are hereby banned. ALL versions are hackable."
So what scripts are OK?
I recently changed all my scripts to NMS_FormMail.
I believe this to be secure. It is a project in process, updated regularly. (nms)
What is "explicity release by the CPanel?"
Last edited by webfeatus; 09-05-2003 at 12:30 PM.
We also recommend the NMS formmail scripts to our clients for the exact reason you mention -- it's an ongoing project. And also because they have a couple of other scripts that even beginners find easy enough to implement.
The reference to scripts released by cPanel will be to the ones that reside in /usr/local/cpanel/cgi-sys. You httpd.conf automatically enables them for all domains on your server in the form of www.anydoamin.com/cgi-sys.
cPanel.net Support Ticket Number:
I agree with both of you, NMS is the way to go for sure.
cPanel.net Support Ticket Number:
The rest of those who have gone before us cannot steady the unrest of those to follow.
So is NMS "hackable"
Of course, just about everything is.
However, I believe that the limitation that NMS provides in terms of the number of recipients for an email should be delivered to would prevent mass email spamming.
Maybe this variable can be hacked in the script itself.
Anyone know?
This what I mention to my Clients:
---
Any Form script that requires the use of this type coding:
<input type="hidden" name="recipient" value="someone@yourdomain.com">
is old fashioned and outdated. Also makes it very easy for Spam Bots to grab the listed eMail address for inclusion on many, many Spammer's Lists—and we're on enough of those already.
Instead, we direct you to using a much better Form script called JunkStop, which is also freely available. An added advantage is to take the extra step of "renaming the form script" so it is much harder for anyone to find.
---
As "NMS" uses the above type coding, I could not recommend it to anyone. Form scripts today, should always have the eMail addresses in a seperate location that can be accessed only by the script itself.
JunkStop may not be as easy -- for beginners to use -- as some others, but if I have to choose between security and ease-of-use, security gets my vote.
cPanel.net Support Ticket Number:
Helping people Host, Create, and Maintain their Web Site
Also providing Server Admin Services - setup / troubleshooting
http://potentproducts.com/
Point taken.
And thanks for the tip about JunkStop.
However "cPanel advocated" www.anydoamin.com/cgi-sys also uses this coding. So my question is:
"How is the above (cPanel) script any more secure than nms?
Last edited by webfeatus; 09-05-2003 at 10:01 PM.
Not sure what your question is?
What "cPanel advocated" or who informed you on not using any version of formail.pl, is where I get lost.
The script I suggested has the basic security features every form script should have; hidden eMail addresses, input verification and @referers qualifier.
cPanel.net Support Ticket Number:
Helping people Host, Create, and Maintain their Web Site
Also providing Server Admin Services - setup / troubleshooting
http://potentproducts.com/
I fully agree. I think that's one of the main things that make it easy for spammers to use the script. About a year ago I decided to just make my own script with various safety features. The biggest one being that the recipient email is in the script, not the html page. Clients are shown in clear and easy instructions how to change the email address if they want to.Originally posted by Website Rob
Any Form script that requires the use of this type coding:
<input type="hidden" name="recipient" value="someone@yourdomain.com">
is old fashioned and outdated. Also makes it very easy for Spam Bots to grab the listed eMail address for inclusion on many, many Spammer's Lists—and we're on enough of those already.
All spammers can do with my script is send 1 email to the client.
cPanel.net Support Ticket Number:
Excellent point. The NMS script has a feature called recipient_alias that addresses this exact problem. Whether people actually use it, is another question.Originally posted by Website Rob
Any Form script that requires the use of this type coding:
<input type="hidden" name="recipient" value="someone@yourdomain.com">
is old fashioned and outdated. Also makes it very easy for Spam Bots to grab the listed eMail address for inclusion on many, many Spammer's Lists—and we're on enough of those already.
Another important point made. The default setting in NMS (as likely used by most beginners) makes me feel OK about this script.Originally posted by Webfeatus
However, I believe that the limitation that NMS provides in terms of the number of recipients for an email should be delivered to would prevent mass email spamming.
I haven't even bothered to check the cPanel formmail script. Does it offer any of these "security" features.
The first time ever I noticed the cPanel scripts was when people complained about its vulnerabilities. I disabled it immediately and it's still that way today
cPanel.net Support Ticket Number:
LinkBack URL
About LinkBacks
Reply With Quote
