 | |
Trying to get the submit form to work - confused, please help!
HTML Writing HTML for the Web (comp.infosystems.www.authoring.html)
 |
| | Thread Tools | Display Modes |
#11
 
| |||
| |||
|
Re: Trying to get the submit form to work - confused, please help! -
03-18-2008
, 09:10 AM
|
You never set your destination email in the html in hidden fields! This is *so* hackable it is not funny. Your site will be a spam relaying machine. |
the instructions. We cannot know whether the form handler script
actually checks the e-mail address against a list of accepted
destinations.
It's _probably_ a poorly designed and risky service, but not
necessarily.
--
Jukka K. Korpela ("Yucca")
http://www.cs.tut.fi/~jkorpela/
#12
| |||
| |||
|
|
It's _probably_ a poorly designed and risky service, but not necessarily. |
Is there a way for the OP to determine that? Assurances from his host
may not be good enough. If they are providing an open relay, they won't
know that they are. I would hope that someone in the hosting business
would know how to secure a formmail script.
#13
| |||
| |||
|
|
Scripsit Jonathan N. Little: You never set your destination email in the html in hidden fields! This is *so* hackable it is not funny. Your site will be a spam relaying machine. It might be, but it need not be. We cannot tell from the HTML markup and the instructions. We cannot know whether the form handler script actually checks the e-mail address against a list of accepted destinations. It's _probably_ a poorly designed and risky service, but not necessarily. |
not have stuck the destination out here client side in a hidden field in
the first place. I wouldn't put money on the script is secure, would you?
--
Take care,
Jonathan
-------------------
LITTLE WORKS STUDIO
http://www.LittleWorksStudio.com
#14
| |||
| |||
|
|
True, but if the designers of the script had security in mind they would not have stuck the destination out here client side in a hidden field in the first place. I wouldn't put money on the script is secure, would you? |
that determines whether the To address is acceptable, but the OP
shouldn't count on it. If I were the OP, I would look for another script
that is known to be secure.
If the script is installed in the OPs domain, he should delete it. But this:
-----
You have to modify the following code on your form page:
<form action="/cgi/formmail" method = "POST">
The above code instructs your form to use the Netfirms form handler to
process the form.
NOTE: Do not reference your domain pointer in the form action tag as
that will produce an error message.
-----
makes me think that the script is not installed in the OPs domain, but
resides elsewhere on the server. If that is the case, how could the
script know which email addresses are OK? So there is a real possibility
that there is an open relay on the server that the OP can't do anything
about.
Can you say, "blacklisted?" Sure. I knew you could.
Maybe the OP should be looking for another host.
#15
| |||
| |||
|
|
Maybe the OP should be looking for another host. |
--
Take care,
Jonathan
-------------------
LITTLE WORKS STUDIO
http://www.LittleWorksStudio.com
#16
| |||
| |||
|
|
Jukka K. Korpela wrote: It's _probably_ a poorly designed and risky service, but not necessarily. That is what I was thinking. Is there a way for the OP to determine that? Assurances from his host may not be good enough. If they are providing an open relay, they won't know that they are. I would hope that someone in the hosting business would know how to secure a formmail script. |
recipient address included in the html markup for the form
page, there is a very high probability that it is indeed the
notoriously bad Matt's Formail that has been exploited by
endless spammers, to the misery of all.
As mentioned elsewhere in the thread, there is a secure
version of that - and many other of Matt's scripts - available
from the nms project on Sourceforge.
As also recommended elsewhere in this thread, the OP almost
certainly should NOT use it, and might want to look at an
alternate web host - one which takes script security seriously.
#17
| |||
| |||
|
#18
| |||
| |||
|
|
Ok, thank you for all of the responses, but I am now more confused - but that is ok, because at least I am on the way. What I copy and pasted was the instructions from the host on how to use formmail. Here it is again in its entirety : How do I use Formmail? Introduction Forms on your Website can be used to collect data from a Website and send it via E-mail to a desired location. It can be used for adding ordering forms, feedback forms and simple surveys. Once you have your forms designed in your favorite HTML editor or web design tool, getting your forms to actually work only takes 2 easy steps. IMPORTANT: Please ensure that there are no spaces in the name of your contact form or feedback form. 1. Using our pre-installed forms handler First of all, you must design your form using your desired web design tools. Once this is done, you must manually edit the HTML code for your form, some web design software has this feature built in. You have to modify the following code on your form page: form action="/cgi/formmail" method = "POST" The above code instructs your form to use the Netfirms form handler to process the form. NOTE: Do not reference your domain pointer in the form action tag as that will produce an error message. 2. Specify Recipient E-mail address Next you must have the following line of code after the form action tag we entered above: input type=hidden name="recipient" value="y... (AT) yourdomain (DOT) com" OR input type=hidden name="recipient" value="y... (AT) yourdomain (DOT) com,anothern... (AT) anotherdomain (DOT) com" This instructs the formmail script where to E-mail the information entered on the form. Be sure to change y... (AT) yourdomain (DOT) com to your actual E-mail address. Optional Fields: You add optional fields to your form to customize the functionality of the form. For example you can require certain fields to be completed, specify the page visitors see after completing the form. If you use Microsoft FrontPage, click here for instructions without having to edit HTML code. form action="/cgi/formmail" method="post" input type="hidden" name="recipient" value="y... (AT) yourdomain (DOT) com" This is what I guess the host is offering in the way of a form mailer. Why would they offer one that is full of holes and prone to security breaches? I now have downloaded the formmail_compat_3.14c1. Am I supposed to upload this to my host to use it? Does the HTML have to change when using this? Again, thanks in advance for the help, although this is really greek to me. |
#19
| |||
| |||
|
|
Ok, thank you for all of the responses, but I am now more confused - but that is ok, because at least I am on the way. What I copy and pasted was the instructions from the host on how to use formmail. Here it is again in its entirety : |
The instructions tell you to include the recipient email address in the
form. I can submit data to the script without using your form. I can
write a script that will take an email address out of a file, and use
the formmail script on your server to send email to that email address.
The script can do that thousands of times an hour, using a different
email address each time, unless there is something in the formmail
script that restricts its use to approved email addresses.
So I can send out millions of spam, and any trace will show it coming
from your server.
Quote:
|
This is what I guess the host is offering in the way of a form mailer. Why would they offer one that is full of holes and prone to security breaches? |
about running a server?
Without seeing the script, we can't know for sure, but I don't see how
this could be a secure script.
BTW, I emailed your web host and asked about this. I got no response.
#20
| |||
| |||
|
|
BTW, I emailed your web host and asked about this. I got no response. |
|
« Previous Thread
|
Next Thread »
| Thread Tools | |
| Display Modes | |
Linear Mode
| |
Powered by vBulletin Version 3.5.4
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.