|
Evil Spammers can hijack your formmail script and send out
thousands of spam emails. The worst part is that everybody
will think it is YOU sending out the spam. Your website will
be closed down before you even have the chance to defend
yourself. More information on this new spam technique can be found
HERE.
The code below in red is an unofficial patch for FormMail, a commonly used form-to-email cgi script, available
for download at Matt's Script Archive, Inc.:
http://www.worldwidemart.com/scripts/
Patch Code:
##################################################
if ($Config{'recipient'} ne "yourName\@emailaddress.com"
)
{
print "Content-type: text/html\r\n\r\n";
print "<html><h1><center> Hijacking of scripts is ILLEGAL!<br> Your
ip address, $ENV{'REMOTE_ADDR'} has been recorded, as
<br> as well as the date and time.</center> </h1></html>";
exit(0);
}
########## Patch by Aaron Bazar http://ctssn.com #############
Instructions:
- Either ftp to your website and download the FormMail script so
you can edit it, or go to http://www.worldwidemart.com/scripts/
and download a new one.
- Follow all setup instructions given with Formail. However, before
you put the script on your site, finish the patch process.
- Copy and paste the patch code (in red above) into your formmail script.
The patch code MUST be placed in the correct location within Formmail.
Put it after:"&parse_form;" but before " # Check Required Fields"
There is an example below.
- EDIT the first line of the patch code to match YOUR
email address.
This is the email address at which you would like to receive the forms.
Note: You MUST have a backslash (\) before the "@" sign in the email.
Save your work.
Put the script back on your site, replacing the original FormMail
script.
Test your websites form to make sure it still works. After that, test
the security patch by testing the exploit again.
Keep in mind, you will no longer be able to change the recipient field in your submission form's code without
changing the script to match it. You will need to change it in the FormMail script (again, the green email address above).
The email you list as a recipient in your form will HAVE to match the script's email.
One last note. CTSSN.com has NO association with FormMail's developers and this fix comes with NO
warranty. For absolute security, unplug your computer and do not go on the internet.
The following is a demonstration of how to change the code:
BEFORE YOUR CHANGE:
.
.
.
.
# Check Referring URL
&check_url;
# Retrieve Date
&get_date;
# Parse Form Contents
&parse_form;
# Check Required Fields
&check_required;
# Return HTML Page or Redirect User
&return_html;
# Send E-Mail
&send_mail;
AFTER YOUR CHANGE:
.
.
.
# Check Referring URL
&check_url;
# Retrieve Date
&get_date;
# Parse Form Contents
&parse_form;
##################################################
if ($Config{'recipient'} ne "yourName\@emailaddress.com" ){
print "Content-type: text/html\r\n\r\n";
print "<html><h1><center> Hijacking of scripts is ILLEGAL!<br> Your
ip address, $ENV{'REMOTE_ADDR'} has been recorded, as
<br> as well as the date and time.</center> </h1></html>";
exit(0);
}
########## Patch by Aaron Bazar http://ctssn.com ##############
# Check Required Fields
&check_required;
# Return HTML Page or Redirect User
&return_html;
# Send E-Mail
&send_mail;
.
.
.
.
.
TheNewFinanceSite.com can help you get a great new mortgage or help you consolidate debt.
|
