PDA

View Full Version : card.cgi pls help



firebirdfan
12-16-2003, 09:35 PM
$cgi_bin='cgi-bin/sendcard.cgi';
$url_path='http://www.example.com/';
$fullpath='e:/user/abc.com/web/';
$cards_path='card/cards/';
$record_log='card/card_log/';
$send='send.gif';
$back='back.gif';
$picture_path='card/picture/';
$background='card/picture/bg-line.jpg';
$mailprog = 'd:/usr/bin/sendmail';

Would like to know how do I activate this sedncard.cgi with sendmail ?
I've set the permissions for owner, groups & public to read, wrtie & execute/list then only the cgi script works. ( do i have to disable all - will it endanger my site to be hacked via those permissions ?)

Next would like to know what are the correct paths as stated above.
Coz it wont write to card_log & wont create the message in html in the card/cards folder.

Email also wont be sent.
Can anyone help ?

firebirdfan
12-16-2003, 10:19 PM
okay did some tweaking, & edit the path for sendmail which should be /bin/sendmail

While the card logs & html file is not writing hmm still testing.

sendmail will activate based upon the cgi scripts in the cgibin, so I wonder those scripts that are unsecure & easily exploited can be used against my script to send spam ?

firebirdfan
12-16-2003, 10:25 PM
yippie it's working - its always the path that you've got to get it right.

& also have to set the right attributes to all the folders , so there's 3 types of users - Owner, Group & Public - all have full 3 access - that is secure right ?

:lol:

jalal
12-17-2003, 01:54 AM
If everyone has full access == insecure...

But it is not simply to do with access rights, its who the script runs as and also how you check who is using the script.
If I can use the script to send emails, then I can probably use it as a relay.

firebirdfan
12-17-2003, 02:18 AM
So what would be a practical solution - even as formmail can be used as a relay, would it be recommended that I name the cgi file sometin bizarre like 1221dscmfkdsjmgkl.cgi ?
So that no one really from the outside can guess what's the file name & exploit it.
Are exploits easily automated once you get to know the filename in this case the cgi script- sendcard.cgi ?
I recently heard Fayez got spammed hard or his site was used as a relay to send 2K emails.
I see in my error logs those constant pesky request like xxx.pl etc.

So would renaming the file the first step to solving this issue ?
Thanks Jalal for replying

jalal
12-17-2003, 06:12 AM
Renaming is not the best idea. I'm mean, it will maybe work, but the best is to make it secure.
Formmail is secure. Old versions aren't but the latest one is.

With security, there are many different aspects, and I don't want to write a book here on a forum. But basically, here are some things to think about.
1. The permissions on the file, and the user who runs it, affects how that script can be used by a cracker to gain root access or similar. Its not likely something that a spammer will make use of.
2. What your script does with the information that is fed to it and how it decides who is allowed to use it is decided by the script itself, not by any permissions that it has.

For example, formmail will check all the data that is submitted to it, strip out anything that could be html, javascript, shell script and so on. It checks that the email can only be sent to the correct domain.

Renaming the file is OK, but then how do you access it? If there is an HTML page on your site with a form that calls your file, then the name of the script is in the form tag for anyone to see.

HTH

wildjokerdesign
12-17-2003, 08:29 AM
I assume you got the script off the web someplace. Hopefully it is popular enough that the creator keeps up with it and does updates. Kind of like this fourm script on the phpbb site you can keep track of any security issues that may have come up and make the modifications to your own script.

You might want to do a comparison of the New formail script and the card.cgi script to see if it has some similiar test for the email it is sending out.

I have changed the name on scripts and actually had done this with the old formail scirpt when I was using it. Like Jalal said it only works so far. It kept me safe from some of the initial attackes but they found it in the long run since you have to refrence it in your form.

I think you are doing one of the best things you can. You are aware that there could be security risk so you are keeping track of the script and your logs to see if there is any abuse. At least that way if there is a problem you can be ready to shut the script down while you figure out the problem and get it fixed. The times I have set something up and then forgotten about it is when I have run into problems.

firebirdfan
12-17-2003, 06:05 PM
Yes thanks all, it all boils down to the script. And yes Shawn it's obvious that it's a free script off the web, well the ppl who created the script have last updated in 1999 :) so I better be watching those log & error files closely :)