You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Alex Pilson <al...@flagshipinteractive.com> on 2002/12/02 17:34:10 UTC
[users@httpd] FormMail.pl / cgi-bin?
I have FormMail in a directory called CGI-Excutables directory. I
have /cgi-bin/ alias to this directory as the default. I seem to have
permissions set up properly but going to a virtual domain site like
http://www.mydomain.com/cgi-bin/FormMail.pl
yields a permission error:
You don't have permission to access /cgi-bin/FormMail.pl on this server.
Any ideas what I am missing here?
--
<--------------------------------------------------------------->
Alex Pilson
FlagShip Interactive, Inc.
alex@flagshipinteractive.com
404.728.4417
404.642.8225 CELL
<--------------------------------------------------------------->
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] FormMail.pl / cgi-bin?
Posted by Alex Pilson <al...@flagshipinteractive.com>.
At 6:06 PM +0100 12/2/02, Sander Holthaus - Orange XL wrote:
>You should post some more info on your current configuration. Also, what
>does you error-log say? Your error-log will probably say exactly what the
>problem is.
I am going to look now.
>
>Off-topic but VERY IMPORTANT:
> a) Certain versions of FormMail are exploitable. Are you sure you have the
>latest version?
Exactly my concern as well. This is for a client that doesn't want to
pay for consultation, seem it would have been faster to re-code the
form for PHP or Lasso now :). I normally use PHP or Lasso 5/6 for
server-side stuff. I downloaded the latest one today from Matt.
> b) If you are planning to use FormMail, rename it! There are many spambots
>who actively look for exploitable FormMail-scripts. EVEN if you have have a
>secure version of FormMail, all those exploitrequests to it will use
>valueble resources.
Great idea. Thanks! Very good information!
--
<--------------------------------------------------------------->
Alex Pilson
FlagShip Interactive, Inc.
alex@flagshipinteractive.com
404.728.4417
404.642.8225 CELL
<--------------------------------------------------------------->
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] FormMail.pl / cgi-bin?
Posted by Sander Holthaus - Orange XL <in...@orangexl.com>.
You should post some more info on your current configuration. Also, what
does you error-log say? Your error-log will probably say exactly what the
problem is.
Off-topic but VERY IMPORTANT:
a) Certain versions of FormMail are exploitable. Are you sure you have the
latest version?
b) If you are planning to use FormMail, rename it! There are many spambots
who actively look for exploitable FormMail-scripts. EVEN if you have have a
secure version of FormMail, all those exploitrequests to it will use
valueble resources.
Kind Regards,
Sander Holthaus
----- Original Message -----
From: "Alex Pilson" <al...@flagshipinteractive.com>
To: <us...@httpd.apache.org>
Sent: Monday, December 02, 2002 5:34 PM
Subject: [users@httpd] FormMail.pl / cgi-bin?
> I have FormMail in a directory called CGI-Excutables directory. I
> have /cgi-bin/ alias to this directory as the default. I seem to have
> permissions set up properly but going to a virtual domain site like
> http://www.mydomain.com/cgi-bin/FormMail.pl
>
> yields a permission error:
> You don't have permission to access /cgi-bin/FormMail.pl on this server.
>
> Any ideas what I am missing here?
> --
> <--------------------------------------------------------------->
> Alex Pilson
> FlagShip Interactive, Inc.
> alex@flagshipinteractive.com
> 404.728.4417
> 404.642.8225 CELL
> <--------------------------------------------------------------->
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] FormMail.pl / cgi-bin?
Posted by Alex Pilson <al...@flagshipinteractive.com>.
At 11:20 AM -0600 12/2/02, Jack L. Stone wrote:
>At 09:53 AM 12.2.2002 -0700, Remo Mattei wrote:
>>I would not use formmail.pl you may want to check formmail.php a better
>>way to go I think. There are other php mailer that do not have the
>>security holes that formmail had.
>>
>>
>>Remo Mattei
>>Network Security Engineer
>>cell 801-209-8554
>>email remo@italy1.com
>>
>
>Where do you get the formmail.php....?? Is that Matt's too? And appreciate
>any URLs handy for the other phps.
http://www.kdg-42.com/~scripts/
--
<--------------------------------------------------------------->
Alex Pilson
FlagShip Interactive, Inc.
alex@flagshipinteractive.com
404.728.4417
404.642.8225 CELL
<--------------------------------------------------------------->
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] FormMail.pl / cgi-bin?
Posted by Remo Mattei <re...@italy1.com>.
Have you looked at:
http://www.hotscripts.com/PHP/Scripts_and_Programs/Form_Processors/more6
.html
hotscripts is a very good site.
Remo Mattei
Network Security Engineer
cell 801-209-8554
email remo@italy1.com
-----Original Message-----
From: Jack L. Stone [mailto:jackstone@sage-one.net]
Sent: Monday, December 02, 2002 10:21 AM
To: users@httpd.apache.org; users@httpd.apache.org
Subject: RE: [users@httpd] FormMail.pl / cgi-bin?
At 09:53 AM 12.2.2002 -0700, Remo Mattei wrote:
>I would not use formmail.pl you may want to check formmail.php a better
>way to go I think. There are other php mailer that do not have the
>security holes that formmail had.
>
>
>Remo Mattei
>Network Security Engineer
>cell 801-209-8554
>email remo@italy1.com
>
Where do you get the formmail.php....?? Is that Matt's too? And
appreciate
any URLs handy for the other phps.
Thanks!
Best regards,
Jack L. Stone,
Administrator
SageOne Net
http://www.sage-one.net
jackstone@sage-one.net
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] FormMail.pl / cgi-bin?
Posted by "Jack L. Stone" <ja...@sage-one.net>.
At 09:53 AM 12.2.2002 -0700, Remo Mattei wrote:
>I would not use formmail.pl you may want to check formmail.php a better
>way to go I think. There are other php mailer that do not have the
>security holes that formmail had.
>
>
>Remo Mattei
>Network Security Engineer
>cell 801-209-8554
>email remo@italy1.com
>
Where do you get the formmail.php....?? Is that Matt's too? And appreciate
any URLs handy for the other phps.
Thanks!
Best regards,
Jack L. Stone,
Administrator
SageOne Net
http://www.sage-one.net
jackstone@sage-one.net
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] FormMail.pl / cgi-bin?
Posted by Remo Mattei <re...@italy1.com>.
I would not use formmail.pl you may want to check formmail.php a better
way to go I think. There are other php mailer that do not have the
security holes that formmail had.
Remo Mattei
Network Security Engineer
cell 801-209-8554
email remo@italy1.com
-----Original Message-----
From: Alex Pilson [mailto:alex@flagshipinteractive.com]
Sent: Monday, December 02, 2002 9:43 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] FormMail.pl / cgi-bin?
At 10:39 AM -0600 12/2/02, Jack L. Stone wrote:
>At 11:34 AM 12.2.2002 -0500, Alex Pilson wrote:
>>I have FormMail in a directory called CGI-Excutables directory. I
>>have /cgi-bin/ alias to this directory as the default. I seem to have
>>permissions set up properly but going to a virtual domain site like
>>http://www.mydomain.com/cgi-bin/FormMail.pl
>>
>>yields a permission error:
>>You don't have permission to access /cgi-bin/FormMail.pl on this
server.
>>
>>Any ideas what I am missing here?
>>--
>><--------------------------------------------------------------->
>> Alex Pilson
>
>Have you configured formmail.pl itself as authorized domain...?? ...and
>there is a recipient line as well. Both tell formmail.pl it's okay for
>those and those only.....
Yep. I will double check it. BUT it seems that the error is not from
formmail but from Apache itself.
--
<--------------------------------------------------------------->
Alex Pilson
FlagShip Interactive, Inc.
alex@flagshipinteractive.com
404.728.4417
404.642.8225 CELL
<--------------------------------------------------------------->
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] FormMail.pl / cgi-bin?
Posted by Alex Pilson <al...@flagshipinteractive.com>.
At 10:39 AM -0600 12/2/02, Jack L. Stone wrote:
>At 11:34 AM 12.2.2002 -0500, Alex Pilson wrote:
>>I have FormMail in a directory called CGI-Excutables directory. I
>>have /cgi-bin/ alias to this directory as the default. I seem to have
>>permissions set up properly but going to a virtual domain site like
>>http://www.mydomain.com/cgi-bin/FormMail.pl
>>
>>yields a permission error:
>>You don't have permission to access /cgi-bin/FormMail.pl on this server.
>>
>>Any ideas what I am missing here?
>>--
>><--------------------------------------------------------------->
>> Alex Pilson
>
>Have you configured formmail.pl itself as authorized domain...?? ...and
>there is a recipient line as well. Both tell formmail.pl it's okay for
>those and those only.....
Yep. I will double check it. BUT it seems that the error is not from
formmail but from Apache itself.
--
<--------------------------------------------------------------->
Alex Pilson
FlagShip Interactive, Inc.
alex@flagshipinteractive.com
404.728.4417
404.642.8225 CELL
<--------------------------------------------------------------->
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] FormMail.pl / cgi-bin?
Posted by "Jack L. Stone" <ja...@sage-one.net>.
At 11:34 AM 12.2.2002 -0500, Alex Pilson wrote:
>I have FormMail in a directory called CGI-Excutables directory. I
>have /cgi-bin/ alias to this directory as the default. I seem to have
>permissions set up properly but going to a virtual domain site like
>http://www.mydomain.com/cgi-bin/FormMail.pl
>
>yields a permission error:
>You don't have permission to access /cgi-bin/FormMail.pl on this server.
>
>Any ideas what I am missing here?
>--
><--------------------------------------------------------------->
> Alex Pilson
Have you configured formmail.pl itself as authorized domain...?? ...and
there is a recipient line as well. Both tell formmail.pl it's okay for
those and those only.....
Best regards,
Jack L. Stone,
Administrator
SageOne Net
http://www.sage-one.net
jackstone@sage-one.net
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org