formmail.pl and redirection

[Mike <mi...@ironmikie.nl>]

Hi,

I am having a problem with the apache rewrite engine for my formmail.pl. When i "browse" to www.test.nl/cgi-bin/formail.pl the apache (1.3) server must redirect this request to http://scripts.test2.nl/cgi-bin/formmail.pl. But this won't work, while another cgi script like printenv works just fine.

Does anyone know what my RewriteRule is supposed to look like? If i take a look in my rewrite log of the www.test.nl server i see that the redirect works, so i must be some information that the destination server is missing.

This is the error i get when i try to use the formmail.pl:

Bad Referrer - Access Denied 
The form attempting to use FormMail resides at http://www.test.nl/, which is not allowed to access this cgi script.
If you are attempting to configure FormMail to run with this form, you need to add the following to @referers, explained in detail in the README file.

Add 'www.test.nl' to your @referers array.

end of error message

ps. when i add the test.nl to @referers it still makes no difference.

Thanx in advance

MichaelZ  

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: formmail.pl and redirection

[Joshua Slive <jo...@slive.ca>]

> From: M.v.Buytene [mailto:martijn@sigterm.nl]

> He cant hardcode recipients into his formmail.pl.
> He wants to rewrite customers formmail.pl's and dont knows who the
> customers recipients i guess. I bet he does the antispam after the
> formmail.pl
> with a nifty senmail cfg.

I wouldn't bet.  I would check to be sure.  It would take a VERY special
sendmail config to handle this.

In general, formmail.pl is completely insecure and shouldn't be used.  The
most recent version (after August 2001) can be setup not to allow abuse, if
you are *very* careful.  The "referer" check is pointless, but there is a
new "recipients" check which can be used to limit abuse if you configure it
correctly.  Of course, that will be very difficult if you are talking about
hundreds of domains.

Joshua.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: formmail.pl and redirection

["M.v.Buytene" <ma...@sigterm.nl>]

He cant hardcode recipients into his formmail.pl.
He wants to rewrite customers formmail.pl's and dont knows who the
customers recipients i guess. I bet he does the antispam after the
formmail.pl
with a nifty senmail cfg.


Regards,

M.v.Buytene

On Tue, 12 Mar 2002, Joshua Slive wrote:

>
> > From: Mike [mailto:mike@ironmikie.nl]
>
> > The formmail.pl resides on
> > scripts.test2.nl/cgi-bin/formmail/formail.pl actually.
> >
> > I did add www.test.nl to the @referer with ip and i added it to
> > the hosts file. But this is the test case. Actually it must work
> > with more then 1000 virtual domains.
>
> I have not looked at this exact script, but I hope you realize that blocking
> access to formail.pl by referer is completely pointless.  Any two-bit hacker
> can fake the referer header.  Any two-and-a-half-bit hacker can design a
> robot to find references to formmail.pl on webpages and automatically fake
> the correct referer header.
>
> The only safe way to do a mailto cgi as far as I know is to hardcode the
> recipient into the script.  Otherwise, you are just inviting spammers to
> abuse you.
>
> Johsua.
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: formmail.pl and redirection

[Joshua Slive <jo...@slive.ca>]

> From: Mike [mailto:mike@ironmikie.nl]

> The formmail.pl resides on
> scripts.test2.nl/cgi-bin/formmail/formail.pl actually.
>
> I did add www.test.nl to the @referer with ip and i added it to
> the hosts file. But this is the test case. Actually it must work
> with more then 1000 virtual domains.

I have not looked at this exact script, but I hope you realize that blocking
access to formail.pl by referer is completely pointless.  Any two-bit hacker
can fake the referer header.  Any two-and-a-half-bit hacker can design a
robot to find references to formmail.pl on webpages and automatically fake
the correct referer header.

The only safe way to do a mailto cgi as far as I know is to hardcode the
recipient into the script.  Otherwise, you are just inviting spammers to
abuse you.

Johsua.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: formmail.pl and redirection

[Mike <mi...@ironmikie.nl>]

The formmail.pl resides on scripts.test2.nl/cgi-bin/formmail/formail.pl actually.

I did add www.test.nl to the @referer with ip and i added it to the hosts file. But this is the test case. Actually it must work with more then 1000 virtual domains.

tnx,

MichaelZ

On Tue, Mar 12, 2002 at 07:57:46AM -0500, Bill -Sx- Jones wrote:
> On 3/12/02 5:23 AM, "Mike" <mi...@ironmikie.nl> wrote:
> 
> > Hi,
> > 
> > I am having a problem with the apache rewrite engine for my formmail.pl. When
> > i "browse" to www.test.nl/cgi-bin/formail.pl the apache (1.3) server must
> > redirect this request to http://scripts.test2.nl/cgi-bin/formmail.pl. But this
> > won't work, while another cgi script like printenv works just fine.
> > 
> > Does anyone know what my RewriteRule is supposed to look like? If i take a
> > look in my rewrite log of the www.test.nl server i see that the redirect
> > works, so i must be some information that the destination server is missing.
> 
> 
> On the www.test.nl server, use something like -
> 
> RewriteRule ^/(cgi.+/formmail.+) http://scripts.test.nl/$1 [L]
> 
> 
> > This is the error i get when i try to use the formmail.pl:
> > 
> > Bad Referrer - Access Denied
> > The form attempting to use FormMail resides at http://www.test.nl/, which is
> > not allowed to access this cgi script.
> > If you are attempting to configure FormMail to run with this form, you need to
> > add the following to @referers, explained in detail in the README file.
> > 
> > Add 'www.test.nl' to your @referers array.
> > 
> 
> Where is the actual script?
> 
> On scripts.???  Or on www.???
> 
> 
> The www system must be added so that it may call the script...
> 
> 
> ???
> -Sx-  :]
> 
> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: formmail.pl and redirection

[Bill -Sx- Jones <sn...@mac.com>]

On 3/12/02 5:23 AM, "Mike" <mi...@ironmikie.nl> wrote:

> Hi,
> 
> I am having a problem with the apache rewrite engine for my formmail.pl. When
> i "browse" to www.test.nl/cgi-bin/formail.pl the apache (1.3) server must
> redirect this request to http://scripts.test2.nl/cgi-bin/formmail.pl. But this
> won't work, while another cgi script like printenv works just fine.
> 
> Does anyone know what my RewriteRule is supposed to look like? If i take a
> look in my rewrite log of the www.test.nl server i see that the redirect
> works, so i must be some information that the destination server is missing.


On the www.test.nl server, use something like -

RewriteRule ^/(cgi.+/formmail.+) http://scripts.test.nl/$1 [L]


> This is the error i get when i try to use the formmail.pl:
> 
> Bad Referrer - Access Denied
> The form attempting to use FormMail resides at http://www.test.nl/, which is
> not allowed to access this cgi script.
> If you are attempting to configure FormMail to run with this form, you need to
> add the following to @referers, explained in detail in the README file.
> 
> Add 'www.test.nl' to your @referers array.
> 

Where is the actual script?

On scripts.???  Or on www.???


The www system must be added so that it may call the script...


???
-Sx-  :]



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org