Jump to content

FormMail Security

KevinW

By KevinW
in CPanel and Site Maintenance

 Share

Recommended Posts

KevinW Mentor

KevinW

Posted
Posted

I am aware that several web providers strictly prohibit the use of Matt's FormMail program, due to (lack of) security issues. Perhaps this was based on earlier versions of the program that were insecure.

 

There is also a group (nms) that have rewritten Matt's FormMail program. I have used it once on a site (different web provider). Before making the effort to implement it (nms FormMail) on my site here, just wanted to know:

 

a) What is TCH response to security and the Matt's FormMail program?

:) Has TCH already implemented nms FormMail for use?

c) Has anyone else used it? If so, comments?

d) Or would you like me to be the guinea pig?

 

[The last one does NOT need a response!]

 

-kw

Head Guru Grand Master

Head Guru

Posted
Posted

The older versions of Formail is very insecure. Anything 1.9 or back is not allowed on TCH servers.

 

The admins review the reports daily and will remove any insecure version found.

 

I am not sure if it is well known, but I have a zero tolerance level for SPAM. I do mean ZERO. So if you do sneak a unsecure version of a formmail script on our servers and its exploited, your account is terminated. I make it policy, we dont warn spammers, we dont suspend spammers, the accounts get removed from the servers period.

 

There is formail clone included with cpanel for all to use, it is secure and is a good script.

 

Thanks for the ?

KevinW Mentor

KevinW

Posted
  • Author
Posted

Bill, exactly what I wanted to hear. I'm glad to hear that you consider your clone version secure. Any comments about the nms version of FormMail?

 

-kw

tmwes Explorer

tmwes

Posted
Posted

Funny...I came in here with a question about formmail (even thought I have no idea what it is...)

 

My site is very infrequently visited; yet just after midnight tonight somebody attempted to get to /cgi-bin/formmail.pl (it doesn't exist, obviously)....

 

Was that somebody trying to use my domain to spam with? Some kind of program that checks www.anysite.com/cgi-bin/formmail.pl and exploits it if it exists?

TCH-Don Grand Master

TCH-Don

Posted
Posted

I looked at my error log and found

 

[Wed Jan 22 23:47:58 2003] [error] [client 207.42.71.12] script not found or unable to stat: /home/xxxxx/public_html/cgi-bin/formmail.cgi

[Wed Jan 22 23:47:57 2003] [error] [client 207.42.71.12] script not found or unable to stat: /home/xxxxx/public_html/cgi-bin/formmail.pl

 

I do not use this any more, and removed it in Dec.

???????

TCH-Alan Community Regular

TCH-Alan

Posted
Posted
Funny...I came in here with a question about formmail (even thought I have no idea what it is...)

 

My site is very infrequently visited; yet just after midnight tonight somebody attempted to get to /cgi-bin/formmail.pl (it doesn't exist, obviously)....

 

Was that somebody trying to use my domain to spam with?  Some kind of program that checks www.anysite.com/cgi-bin/formmail.pl and exploits it if it exists?

Yes, some people may use programs which check domains and their cgi-bin to see if they have FormMail installed. This would be one way spammers can find what sites they can use to send their spam e-mails. That is why we do not allow FormMail that are older than 1.9 to be run on any of our servers.

 

Regards,

Alan

TCH-Alan Community Regular

TCH-Alan

Posted
Posted
I looked at my error log and found

 

[Wed Jan 22 23:47:58 2003] [error] [client 207.42.71.12] script not found or unable to stat: /home/xxxxx/public_html/cgi-bin/formmail.cgi

[Wed Jan 22 23:47:57 2003] [error] [client 207.42.71.12] script not found or unable to stat: /home/xxxxx/public_html/cgi-bin/formmail.pl

 

I do not use this any more, and removed it in Dec.

???????

The errors show the same as what the user tmwes is talking about. It may be because people have bookmarked the FormMail script URL and are trying to recently access it, or it could be new people or programs that are testing to see if you have FormMail installed. It is normal for this to happen and there is nothing to worry about.

 

Regards,

Alan

jayc Enthusiast

jayc

Posted
Posted

I am attempting to figure out how to use the formmail.cgi clone with very little success, can anyone who is successfuly using it give me some pointers ?

 

A working html page that I can hack to point to my domain would probably do the trick.

 

Jay

WyldeArt.com

KevinW Mentor

KevinW

Posted
  • Author
Posted

Jay, take a look at the following link:

http://tch.kwsupport.com/id65.htm

 

This is an example I created using the basic sample form from the CPanel documentation. What mis confusing with the documentation is that it does NOT give you an entire working form --- it only gave you the first page, showing you the required fields.

 

I've gone ahead and created a full working script. What you see is all you need!

 

HTH,

kw

  • 11 months later...
wigoweb Enthusiast

wigoweb

Posted
Posted

On January 31, 2003, the following was posted:

 

 

http://tch.kwsupport.com/id65.htm

This is an example I created using the basic sample form from the CPanel documentation. What mis confusing with the documentation is that it does NOT give you an entire working form --- it only gave you the first page, showing you the required fields.

I've gone ahead and created a full working script. What you see is all you need!

HTH,

kw

 

 

I attempted to visit the posted link so I could look at the example. I got a server not found message.

 

Is this example posted anywhere else?

 

Thanks

Lianna Veteran

Lianna

Posted
Posted (edited)

You should be able to get all the help you need here. I'm assuming you're looking at using that form mailer.

 

KW probably had that example up for only a short time. I'm certain that he'll see this post though and correct me if I'm wrong.

Edited by TCH-Lianna
wigoweb Enthusiast

wigoweb

Posted
Posted

Thumbs Up

 

Thanks Lianna for the link to the information about Ultimate Form Mail.

 

I downloaded the examples and the scripts, read and worked with them and then tried to implement the form on one of my existing web pages with a form.

 

I admit that I still have one or two questions about when to use .html and when to use .php, but when I tested the form, it all worked. I edited the code in mailit.php to turn off the testing and did the form again.

 

It went through flawlessly. I used multiple recipients which worked. It sent all of the information back to the submitter, too.

 

This script by itself may make switching to TCH a really good deal.

 

Thanks to everyone at TCH who worked to make this such a good script.

 

Now, I am going to work on setting up some more forms.

 

Alex

stevevan Grand Master

stevevan

Posted
Posted

You may want to drop a note on Surefire's website to thank him. I've been using this script for several months and haven't had as much as a hiccup.

 

One more reason why Rock Sign

kwik Newbie

kwik

Posted
Posted

I was trying to do a page on my site that used either the FormMail clone or cgiemail that is listed in our Cpanel, but couldn't get either to work. So I started reading these forums & found this thread.

 

Should I be using one of the other scripts mentioned(Phorm Jr. or Ultimate Form Mail)? Or am I just not doing something correctly with the provided 2? I tried looking at the sample that was posted earlier, but it's gone.

 

thank you,

Kevin K.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...