Obviously I'm a dope and after reading the instruction s below my head is spinning. Programmer I am not - Admin I am. Sam I am. Sorry, wrong movie.
I added the FormMail.pl to my cgi-bin directory in the Primary ibay.
And I modified it to what I thought was the instructions.
What I wanted, was the form info which is on this page:
http://www.hurlockcompany.com/contact.phpand I want it to go to for the present time:
admin@hurlockcompany.com.
So I changed these lines to:
----------
$mailprog = '/usr/sbin/sendmail -i -t';
@referers = ('hurlockcompany.com','68.162.83.51');
@recipients = &admin(@hurlockcompany.com);
-------------
I get this error:
Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator, admin@hurlockcompany.com and inform them of the time the error occurred, and anything you might have done that may have caused the error.
More information about this error may be available in the server error log.
WHAT AM I DOING WRONG?
The FormMail.pl script does not have to be extensively configured in order to work. There are only two variables in the perl file which you will need to define along with changing the top line of your script to match the location of you Perl interpreter.
$mailprog = '/usr/lib/sendmail -i -t';
This variable must define the location to your server's sendmail program. If this is incorrect, form results will not be mailed to you. Specifying the parameters in this variable is new in v1.91, and we have included the -i parameter so that a single period on a line by itself will not end the message. -t instructs sendmail to read the recipient list from the message text.
@referers = ('scriptarchive.com','YOUR_IP');
This array allows you to define the domains on which you allow forms to reside and use this installation of FormMail. If a user tries to put a form on another server, that is not scriptarchive.com, they will receive an error message when someone tries to fill out their form. By placing scriptarchive.com in the @referers array, this also allows
www.scriptarchive.com, ftp.scriptarchive.com, any other http address with scriptarchive.com in it and scriptarchive.com's IP address to access this script as well, so no users will be turned away.
NOTE: This is not a security check. Referer headers can EASILY be faked. Rather, it prevents someone on xyznotyou.com from using the FormMail on your server to process forms on their server on a regular basis. It remains in the script as a remnant of earlier versions when it was used for security, but the @recipients variable is now used to specify exactly who can receive e-mail from this installation.
As of version 1.7, the domains listed here are also used as the defaults when checking valid recipient e-mail addresses. You should either include all domain names that you wish to have FormMail send e-mails to in your @referers array or tailor the @recipients array by hand.
@valid_ENV = ('REMOTE_HOST','REMOTE_ADDR','REMOTE_USER', 'HTTP_USER_AGENT');
This array allows the administrator to specify a list of environment variables that the user may request be added into the e-mail. This is a security patch that was advised at
http://www.securityfocus.com/bid/1187 and was implemented by Peter D. Thompson Yezek at
http://www.securityfocus.com/archive/1/62033.
Only environment variables listed in this array may be included in the form field env_report. So if you wanted to also know what URL a user was submitting from, you could change @valid_ENV to:
@valid_ENV = ('REMOTE_HOST','REMOTE_ADDR','REMOTE_USER',
'HTTP_USER_AGENT','HTTP_REFERER');
and then include HTTP_REFERER in your env_report form field.
@recipients = &fill_recipients(@referers);
If you wish to only allow e-mail addresses at the domain names in @referers to receive form results, you probably do not need to change this variable. However, if you get any 'Error: Bad/No Recipient' messages when running FormMail, you may have to revisit @recipients and make sure you have correctly listed all domains or configured this variable.
@recipients is the most important variable you need to configure. It is an array of regular expressions defining all valid recipients that can be specified. In order for an e-mail to be sent to the recipient defined in a form, the recipient e-mail address must match one of the elements in the @recipients array.
SIMPLE SETUP:
For the most simple setup, place any domain name that you wish to send form results to in the @referers array. Warning: This allows those domains to also access your FormMail script and utilize it to process their own forms, but likely this is what you intended anyway. If so, you can leave:
@recipients = &fill_recipients(@referers);
NO, THAT IS NOT WHAT I INTENDED!
Another alternative, then, is to set @recipients equal to the return value of the fill-recipients function and pass this function all of the domains to which e-mail may be addressed:
@recipients = &fill_recipients('domain.com',
'sub.domain.com','another.com');
You are now allowing e-mail to any username (provided it contains only A-Z, a-z, 0-9, _, - or .) at those three domains.
Similarly, since @recipients is just an array, you could even do:
@recipients = (&fill_recipients('domain.com','sub.domain.com'),
'^otheruser1@otherhost\.com',
'^otheruser2@otherhost\.com');
This would allow any recipient at domain.com and sub.domain.com similar to the previous example, but would also allow your friends otheruser1 and otheruser2 on otherhost.com to use your FormMail! Of course, you will need to add otherhost.com into your @referers array if a form is on their host!
HOW DOES THAT WORK?
When the fill_recipients function is called on an array of domain names, it turns them into regular expressions. These regular expressions will only allow e-mail messages to go to a recipient with an e-mail address in the following format:
[A-Za-z0-9_-\.]+@domain.com
where domain.com is specified in @referers. For any IP addresses in @referers, the following address formats are valid:
[A-Za-z0-9_-\.]+@[192.168.1.1]
where 192.168.1.1 is the specified IP address in @referers.
What this means in english is that the only valid addresses are those to usernames that include only letters, numbers, underscores, dashes or periods and an exact domain name or IP address that was specified in the @referers array. Depending on your needs, this may be too broad or not broad enough.
WHAT IF YOU NEED MORE FLEXIBILITY??
The way FormMail validates a recipient address is to check the supplied recipient(s) in the submitted form against each element in the array @recipients (which is a list of Perl regular expressions). If any valid recipients are found, they will receive a copy of the message.
Using the examples of @referers = ('domain.com','192.168.1.1'); and the default usage of setting @recipients = &fill_recipients(@referers), the contents of @recipients are now the same as if you had written:
@recipients = ('^[\w\-\.]+\@domain\.com',
'^[\w\-\.]+\@\[192\.168\.1\.1\]');
What these regular expressions instruct FormMail to do is require that any e-mail address passed in as a recipient of the form submission match at least one of those two formats. The following are examples of valid and invalid recipients for this exact setup:
VALID:
user@domain.com, First.Last@domain.com,
Last-First@domain.com, user_name@domain.com,
user023@domain.com, user@[192.168.1.1],
First.Last@[192.168.1.1], user023@[192.168.1.1],
Last-First@[192.168.1.1], user_name@[192.168.1.1], etc.
INVALID: (using these in your form field 'recipient' will trigger error)
user%name@domain.com, user(name)@domain.com,
first:last@domain.com ,
domain.com, user@192.168.1.1,
user@newdomain.com, user@sub.domain.com,
user@domainname.com
Essentially, it only allows A-Z, a-z, 0-9, _, - and . in the local address area (before the @, represented as [\w\-\.]+ in regular expression speak) and requires the domain name to match exactly. When mailing to an IP address, it must be enclosed in [].
BUT I NEED TO MATCH MORE CHARACTERS IN THE USERNAME!
Let's say you need to be able to deliver e-mail to an address like: last:first@domain.com
This requires that the ':' character now be allowed into the portion of the recipient field before the domain name. You could then modify @recipients to read:
@recipients = ('^[\w\-\.\:]+\@domain\.com');
BUT BE CAREFUL!!!!
Allowing certain characters could be VERY dangerous, especially if the characters are: %, <, >, (, ) or any newlines. You can read:
http://web.nps.navy.mil/~miller/percent-hack.htmlfor information on exactly why the % character could be dangerous. And the document that prompted 1.91 explains why some of the others could lead to problems:
http://www.monkeys.com/anti-spam/formmail-advisory.pdfI ONLY WANT CERTAIN ADDRESSES TO WORK!
Let's say you only want yourself@yourdomain.com to be able to receive any form submissions. You should then set the @recipients array to:
@recipients = ('^yourself\@yourdomain\.com');
Now the only valid recipient is that one e-mail address.
If there are several, simply do:
@recipients = ('^user1\@yourdomain\.com',
'^user2\@their\.domain\.com');
CAN I USE SOMETHING EASIER?
Prior versions of FormMail recommended settings for @recipients like:
@recipients = ('domain.com','192.168.1.1'); OR
@recipients = ('^joe@somewhereelse.com');
The first is bad because it can be easily tricked by submitting a recipient such as spamvictim%elsewhere.com@domain.com. The second is MUCH better, but since it is used as a regular expression, and '.' can mean ANY character, a hacker could use joe@somewhereelseXcom to get past a valid recipient check. This is not a very big deal in most cases.
WHAT IS THIS ^ CHARACTER AND WHY SO MANY \'s??
In regular expressions, the ^ means "beginning of string". By default, FormMail places a $ at the end of the match, which means "end of string". By using both ^ and $ in regular expression matching, FormMail can match a string exactly. You only need to worry about including the ^, which is STRONGLY recommended for all regular expressions in the array.
The \ character is used to escape a character that otherwise means something special in regular expressions. For instance, you now see every '.' being escaped with a '\', as '.' means ANY CHARACTER, whereas '\.' requires that it match ONLY a period.
If you need a regular expression matching solution even more specific than the above examples explain, I recommend picking up a book on Perl.
Your formmail program is now configured.
6 Replies
2054 Views