Greetings all,
I am directing this message to the developer's list because I strongly
suspect that it may require some new development.
I am working with many major web hosting companies to try to put a lid
on the FormMail spam problem. With regards to this it would be most
helpful if I could get Apache, which already has code to parse and
analyze Apache configuration files, to simply spit out a list of all
of the CGI-enabled directories that are specified in a given http.conf
file to, say, stdout.
Background:
As many of you may already know, there is this script called FormMail.pl
that was written by a fellow named Matt Wright. It is a free CGI script
used to process simple "contact us" type HTML form data, turning it into
a mail message.
Unfortunately, most versions of this script are subject to trivial
hijacking by spammers to send spam, and spammer exploitation of these
scripts, which are installed at thousands of locations all over the
world, is now rampant. (If you have ever gotten a spam that contained
the phrase "Below is the result of your feedback form" then you have
been spammed via a hijacked FormMail script.)
Most sites and web hosting companies _do_ want to eliminate these exploit-
able FormMail scripts from their web servers, but when you are a big web
hosting company with thousands of virtually-hosted web sites, the task of
just finding the bad scripts in your filesystem isn't terribly easy. In
fact in can get downright convoluted.
The first step in finding all such scripts however may often be the most
difficult one. That first step consists of simply gathering into one
big list a list of all of the CGI-enabled directories on the local web
server. Once such a list has been compiled, other standard UNIX tools
such as `find' and `file' and `grep' and be set to work, plowing through
all of the files in those (CGI) directories and finding all of the bad
FormMail scripts.
This latter part of the process is something that I (and/or others) can
easily write a shell or Perl script to perform. It is the initial part
of the process... finding and listing all CGI-enabled directories... that
remains problematic.
Now in theory, I _could_ write my own parser/analyzer for httpd.conf files,
and then use that to fish out the list of CGI-enabled directories, but as
with all good programmers, I'm lazier than a one-legged dog, and I don't
have any desire to re-invent the wheel here. Apache itself clearly already
contains something that knows perfectly how to parse and analyze http.conf
files, so I reallyt would just like to leverage off that and get Apache's
own config file parser/analyzer to spit out the list of CGI-enabled
directories that I need. That seems to be the shortest route to success,
but I am not fundamentally an Apache hacker, so I thought that I would
just take a shot in the dark, wander in here and beg for some help, and
hope that someone who _is_ an experienced Apache hacker would take pity
on me and volunteer to help with this very noble and worthy cause.
Well, I can dream can't I? :-)
But seriously, is there already a way to do what I need to do with the
Apache server? Looking at the command line options on the man page for
httpd, there doesn't seem to be an option to request httpd to just parse
the config file, list the CGI directories, and then exit. But that's
exactly what I need.
So, any volunteers?
It really is a worthy cause. If you can help, please do.
Regards,
Ron Guilmette
P.S. Note that FormMail is far from the only dangerous CGI script that
a big web hosting company might find that some of its less-clued end lusers
may have uploaded and installed into CGI-enabled directories. And the
overall comprehensive search process that I'm trying to develop could
be (and arguably should be) applied to searching for other dangerous CGI
scripts too.
I just mention that fact in order to underscore the point that the kind
of new Apache feature I'm hoping for here would have general applicability
to a larger set of problems than just the FormMail problem. Listing of the
CGI-enabled directories is really a generic facility that Apache really
ought to provide.
