The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

form-to-email What is acceptable?

Discussion in 'E-mail Discussions' started by webfeatus, Sep 5, 2003.

  1. webfeatus

    webfeatus Active Member

    Joined:
    Jul 28, 2003
    Messages:
    37
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Bali
    I have been informed:

    "All versions of formail.pl and recpective variants (clones, cgimail etc.) expect those explicity release by the CPanel Group are hereby banned. ALL versions are hackable."

    So what scripts are OK?

    I recently changed all my scripts to NMS_FormMail.

    I believe this to be secure. It is a project in process, updated regularly. (nms)

    What is "explicity release by the CPanel?"
     
    #1 webfeatus, Sep 5, 2003
    Last edited: Sep 5, 2003
  2. Stefaans

    Stefaans Well-Known Member

    Joined:
    Mar 5, 2002
    Messages:
    451
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Vancouver, Canada
    We also recommend the NMS formmail scripts to our clients for the exact reason you mention -- it's an ongoing project. And also because they have a couple of other scripts that even beginners find easy enough to implement.

    The reference to scripts released by cPanel will be to the ones that reside in /usr/local/cpanel/cgi-sys. You httpd.conf automatically enables them for all domains on your server in the form of www.anydoamin.com/cgi-sys.

    cPanel.net Support Ticket Number:
     
  3. ciphervendor

    ciphervendor Well-Known Member

    Joined:
    Aug 26, 2002
    Messages:
    1,052
    Likes Received:
    0
    Trophy Points:
    36
    I agree with both of you, NMS is the way to go for sure.

    cPanel.net Support Ticket Number:
     
  4. webfeatus

    webfeatus Active Member

    Joined:
    Jul 28, 2003
    Messages:
    37
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Bali
    So is NMS "hackable"

    Of course, just about everything is.

    However, I believe that the limitation that NMS provides in terms of the number of recipients for an email should be delivered to would prevent mass email spamming.

    Maybe this variable can be hacked in the script itself.

    Anyone know?
     
  5. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    This what I mention to my Clients:

    ---
    Any Form script that requires the use of this type coding:

    <input type="hidden" name="recipient" value="someone@yourdomain.com">

    is old fashioned and outdated. Also makes it very easy for Spam Bots to grab the listed eMail address for inclusion on many, many Spammer's Lists—and we're on enough of those already.

    Instead, we direct you to using a much better Form script called JunkStop, which is also freely available. An added advantage is to take the extra step of "renaming the form script" so it is much harder for anyone to find.
    ---

    As "NMS" uses the above type coding, I could not recommend it to anyone. Form scripts today, should always have the eMail addresses in a seperate location that can be accessed only by the script itself.

    JunkStop may not be as easy -- for beginners to use -- as some others, but if I have to choose between security and ease-of-use, security gets my vote. :)

    cPanel.net Support Ticket Number:
     
  6. webfeatus

    webfeatus Active Member

    Joined:
    Jul 28, 2003
    Messages:
    37
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Bali
    Point taken.
    And thanks for the tip about JunkStop.

    However "cPanel advocated" www.anydoamin.com/cgi-sys also uses this coding. So my question is:
    "How is the above (cPanel) script any more secure than nms?
     
    #6 webfeatus, Sep 5, 2003
    Last edited: Sep 5, 2003
  7. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    Not sure what your question is?

    What "cPanel advocated" or who informed you on not using any version of formail.pl, is where I get lost.

    The script I suggested has the basic security features every form script should have; hidden eMail addresses, input verification and @referers qualifier.

    cPanel.net Support Ticket Number:
     
  8. PWSowner

    PWSowner Well-Known Member

    Joined:
    Nov 10, 2001
    Messages:
    2,948
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    ON, Canada
    I fully agree. I think that's one of the main things that make it easy for spammers to use the script. About a year ago I decided to just make my own script with various safety features. The biggest one being that the recipient email is in the script, not the html page. Clients are shown in clear and easy instructions how to change the email address if they want to.

    All spammers can do with my script is send 1 email to the client.

    cPanel.net Support Ticket Number:
     
  9. Stefaans

    Stefaans Well-Known Member

    Joined:
    Mar 5, 2002
    Messages:
    451
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Vancouver, Canada
    Excellent point. The NMS script has a feature called recipient_alias that addresses this exact problem. Whether people actually use it, is another question.

    Another important point made. The default setting in NMS (as likely used by most beginners) makes me feel OK about this script.

    I haven't even bothered to check the cPanel formmail script. Does it offer any of these "security" features.

    The first time ever I noticed the cPanel scripts was when people complained about its vulnerabilities. I disabled it immediately and it's still that way today ;)

    cPanel.net Support Ticket Number:
     
Loading...

Share This Page