pass values to another scipt

[Sven Bentlage]

Hi!

I am using one script to secure the members area and offer several 
search functions for am mysql database. another script offers the 
possibility to update data in this database. Botth scripts require the 
user to ennter name, lastname and password.
Now I want to enable the user to get straight to the update function 
without having to enter name, lastname and password (he already entered 
one time) again.

How can I pass those already collected values on to another script using 
a link (a href)?
Or how can i do that at all?

Thanks for your help,

Sven


-- 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Matt Wright's formMail

[Kevin Meltzer]

Heya,

On Mon, May 13, 2002 at 04:42:55PM -0700, Bruce Ferrell ([EMAIL PROTECTED]) said 
something similar to:
> Just to throw jet fuel on the fire... cuz they come up on a google
> search for:
> 
>  cgi perl counter
> 
> and nms doesn't! :)

And that is one of the problems some in the community have had with
Matt :) People put that type of search in, see those scripts, and use
them. He has been asked to remove his scripts and point to other,
similar, scripts which have been "OK'd" by the community at large. But,
he hasn't. I have emailed him no less than half a dozen times myself,
all ignored.

But, luckily y'all have this list to enlighten you :)
 
> Just for the record, when I started using MSA, over 4 years ago nms
> didn't exist and I used them for the reasons listed above.  I was a
> sysadmin, am a sysadmin and my job isn't to audit every stick of code in
> the world... It's to run systems as securly as possible.  Until I hear
> something about a serious deficit in a chunk of code, I use it.

I'm well aware of how sysadmins just use code they find :) Part of my
living is made from fixing/re-writing such code. I think this is a
greater problem with many IT people.. blindly using code which they
don't understand. When you have the source, and you don't understand
it, people should use lists, newsgroups and peers to have someone
review it to see if it is really acceptable production code. But, hey..
I live in a fantasy world where production code is reviewed, tested,
portable, and uses common practices :)

Cheers,
Kevin (from Kevtopia)


> Kevin Meltzer wrote:
> > 
> > On Mon, May 13, 2002 at 09:14:03AM -0700, drieux ([EMAIL PROTECTED]) said 
>something similar to:
> > > which version of the code is the 'problem' version?
> > >
> > > what is the current specific 'security' issue?
> > >
> > > there was a security update to v1.92 on 04/21/02
> > > has there been some new issue arise??? since then?
> > 
> > Does it matter? They are scripts by Matt.. recurring security issues,
> > and (unless he has done some MAJOR reworking) they are written in Perl
> > 4. Why would anyone want to run these in production?
>  
> > Cheers,
> > Kevin

-- 
[Writing CGI Applications with Perl - http://perlcgi-book.com]
"BASIC is the Computer Science equivalent of `Scientific Creationism'."
-- BSD fortune file

-- 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: CGI and frames

[Sven Bentlage]

Sorry,here are the details:
I'm using one CGI script to generate several search pages (search for 
people etc) within a secured area.
I would like to put the navigation sub into one frame, the retrieved 
data (sub search1,2...)in another frame.
But I do not want to use an  extra script for this.

Hope this explains it a little bit better..

Sven



On Tuesday, May 14, 2002, at 06:34 AM, John Brooking wrote:

> If you mean can a CGI script output both the frameset
> and all of its pages simultaneously, I don't see how.
> What you can do is have each frame call a CGI script
> for its content, and have another to generate the
> frameset. Each script then outputs its own HTML as
> normal.
>
> If this doesn't address your issue, I think we'll need
> a little more detail.
>
> - John
>
> --- Sven Bentlage <[EMAIL PROTECTED]> wrote:
>> Hi !
>> Right now I'm using a cgi-script to create a few
>> html pages.
>> Somewhere I  read the I also can create framesets
>> plus the dependent
>> html pages via a CGI script.
>>
>> Where can I find a manual on how to do that?  Or can
>> anybody tell me?
>>
>> Thanks for your help.
>>
>> Sven
>>
>>
>> --
>> To unsubscribe, e-mail:
>> [EMAIL PROTECTED]
>> For additional commands, e-mail:
>> [EMAIL PROTECTED]
>>
>
>
> =
> "When you're following an angel, does it mean you have to throw your 
> body off a building?" - They Might Be Giants, http://www.tmbg.com
> 
> Word of the week: Serendipity, see 
> http://www.bartleby.com/61/93/S0279300.html
>
> __
> Do You Yahoo!?
> LAUNCH - Your Yahoo! Music Experience
> http://launch.yahoo.com
>
> --
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
>


-- 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Matt Wright's formMail

[Bruce Ferrell]

Just to throw jet fuel on the fire... cuz they come up on a google
search for:

 cgi perl counter

and nms doesn't! :)

Seriously, I do use them (ok, did until now) because they're handy,
don't spew errors and I can understand the code.  Now that I know they
have problems, probably not anymore... 'course I need to look over the
nms scripts to see what I need to do to make them "mine" but... :-D

Just for the record, when I started using MSA, over 4 years ago nms
didn't exist and I used them for the reasons listed above.  I was a
sysadmin, am a sysadmin and my job isn't to audit every stick of code in
the world... It's to run systems as securly as possible.  Until I hear
something about a serious deficit in a chunk of code, I use it.

If the problem is simply that the code is considered old and crufty...
well, on that basis;  Do I really need to say it?



Kevin Meltzer wrote:
> 
> On Mon, May 13, 2002 at 09:14:03AM -0700, drieux ([EMAIL PROTECTED]) said something 
>similar to:
> > which version of the code is the 'problem' version?
> >
> > what is the current specific 'security' issue?
> >
> > there was a security update to v1.92 on 04/21/02
> > has there been some new issue arise??? since then?
> 
> Does it matter? They are scripts by Matt.. recurring security issues,
> and (unless he has done some MAJOR reworking) they are written in Perl
> 4. Why would anyone want to run these in production?
 
> Cheers,
> Kevin
> 
> --
> [Writing CGI Applications with Perl - http://perlcgi-book.com]
> My PID is Inigo Montoya. You kill -9 my parent process. Prepare to vi.
> 
> --
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]

-- 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [sorta OT] Re: Matt Wright's formMail

[Michael Kelly]

On 5/13/02 2:43 PM, Kevin Meltzer <[EMAIL PROTECTED]> wrote:


> To sum up.. Matts code is bad. It has various security holes, is not
> maintained, and is in Perl 4. The 'vendetta' has come from years of him
> NOT removing his scripts from the internet (spreading cargo-cult
> programming), and not updating them accordingly. When someone is new to
> Perl (like yourself) you may just say "Hey, here are some free scripts
> I can use! YAY!" and not know they are outdated, poorly programmed,
> barely supported, and are know to have recurring security issues. As
> well, his code should not be used by beginners to learn how to program
> in Perl. Instead, it should be (and is) used in talks of "what not to
> do". 
> 
> Many of us in the Perl community have repeatedly asked him to either
> rewrite his code fully, or simply remove it from his site. He has, each
> time, either ignored or flatly refused to do so. This is why NMS was
> finally started.
> 
> So, it is the security concerns, as well as the others I mentioned.
> Someone else may even have a few I have forgotten. I hope this answers
> your question :)

Yes, it does. I knew there must have been some sort of history that I was
not aware of...

Thanks!
-- 
Michael


-- 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: CGI and frames

[John Brooking]

If you mean can a CGI script output both the frameset
and all of its pages simultaneously, I don't see how.
What you can do is have each frame call a CGI script
for its content, and have another to generate the
frameset. Each script then outputs its own HTML as
normal.

If this doesn't address your issue, I think we'll need
a little more detail.

- John

--- Sven Bentlage <[EMAIL PROTECTED]> wrote:
> Hi !
> Right now I'm using a cgi-script to create a few
> html pages.
> Somewhere I  read the I also can create framesets
> plus the dependent 
> html pages via a CGI script.
> 
> Where can I find a manual on how to do that?  Or can
> anybody tell me?
> 
> Thanks for your help.
> 
> Sven
> 
> 
> -- 
> To unsubscribe, e-mail:
> [EMAIL PROTECTED]
> For additional commands, e-mail:
> [EMAIL PROTECTED]
> 


=
"When you're following an angel, does it mean you have to throw your body off a 
building?" - They Might Be Giants, http://www.tmbg.com

Word of the week: Serendipity, see http://www.bartleby.com/61/93/S0279300.html

__
Do You Yahoo!?
LAUNCH - Your Yahoo! Music Experience
http://launch.yahoo.com

-- 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [sorta OT] Re: Matt Wright's formMail

[Kevin Meltzer]

Ack.. I used to have a nice long, detailed reason why (I think I may
have sent it to someone on this list at some point who asked me the
same question). 

To sum up.. Matts code is bad. It has various security holes, is not
maintained, and is in Perl 4. The 'vendetta' has come from years of him
NOT removing his scripts from the internet (spreading cargo-cult
programming), and not updating them accordingly. When someone is new to
Perl (like yourself) you may just say "Hey, here are some free scripts
I can use! YAY!" and not know they are outdated, poorly programmed,
barely supported, and are know to have recurring security issues. As
well, his code should not be used by beginners to learn how to program
in Perl. Instead, it should be (and is) used in talks of "what not to
do". 

Many of us in the Perl community have repeatedly asked him to either
rewrite his code fully, or simply remove it from his site. He has, each
time, either ignored or flatly refused to do so. This is why NMS was
finally started.

So, it is the security concerns, as well as the others I mentioned.
Someone else may even have a few I have forgotten. I hope this answers
your question :)

BTW folks, please do not turn this into an ever-going Matt bashing
thread.. or I will be forced to close it (trying to be preventative
here). 

Cheers,
Kevin

On Mon, May 13, 2002 at 01:45:06PM -0700, Michael Kelly ([EMAIL PROTECTED]) said 
something similar to:
> Ok, I have a question now: What, exactly, started the vendetta that the
> entire Perl community seems to have against Matt's Script Archives? Is it
> the constant security concerns, or is there something else?
> 
> At the moment, MSA at its worst doesn't seem nearly as bad as, say,
> Microsoft.
> 
> I'm not trying to defend MSA, it's just that I've seen endless trash talked
> about it, and, being a relative newcomer to the Perl scene, I'm curious as
> to where it all started.
> 
> Thanks,
> -- 
> Michael
> 

-- 
[Writing CGI Applications with Perl - http://perlcgi-book.com]
All people have the right to be stupid, some people just abuse it!
-- Frank Zappa

-- 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [sorta OT] Re: Matt Wright's formMail

[fliptop]

Michael Kelly wrote:

> Ok, I have a question now: What, exactly, started the vendetta that the
> entire Perl community seems to have against Matt's Script Archives? Is it
> the constant security concerns, or is there something else?


there is no vendetta that i know of.

the nms project at sourceforge provides drop-in replacements for all of 
matt's scripts.

read the nms page at http://nms-cgi.sourceforge.net.  does it sound like 
a bitter quarrel?  i don't think so.  it's simply a way to get reliable, 
secure open-source code that works in perl 5.004, uses no standard 
modules and drops in place of matt's code.

sounds more like a solution than a vendetta.


-- 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Matt Wright's formMail

[Camilo Gonzalez]

After a quick perusal it seems the replacement form's greatest contribution
seems to be to limit the number of recipients that may be emailed at any one
time. There seem to a number of other improvements and it looks like the
code is updated more to what is recommended here. I do understand the
objections to Matt's style, after all he wrote this stuff when he was just
14 and Perl has come a long way since then. I don't share the animosity,
after all he has done a great deal to popularize Perl. It's just too bad he
did it with poor code and continues to write bad code.

-Original Message-
From: John Brooking [mailto:[EMAIL PROTECTED]]
Sent: Monday, May 13, 2002 3:53 PM
To: cgi
Subject: Re: Matt Wright's formMail


I must confess I'm not intimately familiar with the
script in question, so I don't completely understand
what the code snippet that drieux included does,
therefore how it is or is not sufficiently secure.
However, I have some more general comments in the way
of clarification.

It seems to me that the *fact* of using the referers
environment variable is not the security risk, but
that relying on it *only* is the risk. My introduction
to this issue was getting publicly flamed on perl
beginners last summer partially for not knowing this.
(Don't worry, the burns healed quickly.) Since then,
I've at least read enough to know that anyone with the
LWP module or any other HTTP API in any language can
build a web client with any referer header they want.
But I would think that means that using referers in
itself is not inherently dangerous, only thinking that
it's doing you any good security-wise is. The danger
that this ignorance makes possible depends on what the
rest of your script does with the input it gets.

Encoding data in the URL - well, all "GET" parameters
work that way, in the broadest definition of the term
"data". The question is, what does the script *do*
with that data? As all good readers of the security
chapter of O'Reilly's "CGI Programming with Perl"
(among others) will know, the biggest security hole
with user input is when that data is used for input to
a shell process. Is that what Matt's script does? If
so, is the generally approved work-around one of the
two fix-ups recommended by that book: (1) filter the
input string to disallow "bad" characters such as
shell escapes, or better yet, (2) use a combination of
fork and exec rather simply opening a pipe to a
process? How does the NMS replacement code handle
this, and what do you all do in similar cases?

- John

--- drieux <[EMAIL PROTECTED]> wrote:
> 
> On Monday, May 13, 2002, at 09:21 , Camilo Gonzalez
> wrote:
> [..]
> > The problems seem to be that it uses the Referer
> environmental variable to
> > exclude spammers and it gives the option of
> encoding data in the URL. I've
> > been told both are considered security risks. My
> ISP does not think even 
> > the
> > latest release addresses these issues and refuses
> to let Formmail on its
> > servers.
> [..]
> 
> in the main I have heard the same things - I can
> appreciate that
> ISP's are at liberty to do as they will - I was just
> trying to
> track down my exposure - given as our ISP is running
> v1.92
> 
> it could be that if one's ISP is doing a lot of
> virtual hosting
> then the simplification of
> 
>   @referers = ('wetware.com','199.108.16.17');
> 
> could get messy hence the following guard code:
> 
>   sub check_url {
> 
>   # Localize the check_referer flag which
> determines if user is 
> valid.local($check_referer) = 0;
> 
>  # If a referring URL was specified, for each
> valid referer, make sure 
> #
>  # that a valid referring URL was passed to
> FormMail.  
> #
> 
>   if ($ENV{'HTTP_REFERER'}) {
>   foreach $referer (@referers) {
>   if ($ENV{'HTTP_REFERER'} =~
> m|https?://([^/]*)$referer|i) {
>   $check_referer = 1;
>   last;
>   }
>   }
>   } else { $check_referer = 1; }
> 
>   # If the HTTP_REFERER was invalid, send back
> an 
> error.if ($check_referer != 1) 
> { &error('bad_referer') }
>   }
> 
> is not sufficiently robust enough
> 
> where that code is preventing spamming is with:
> 
>   @recipients = &fill_recipients(@referers);
> 
>   sub fill_recipients {
>   local(@domains) = @_;
>   local($domain,@return_recips);
> 
>   foreach $domain (@domains) {
>   if ($domain =~ /^\d+\.\d+\.\d+\.\d+$/) {
>   $domain =~ s/\./\\\./g;
>   push(@return_recips,'^[\w\-\.]+\@\[' .
> $domain . '\]');
>   } else {
>   $domain =~ s/\./\\\./g;
>   $domain =~ s/\-/\\\-/g;
>   push(@return_recips,'^[\w\-\.]+\@' .
> $domain);
>   }
>   }
> 
>   return @return_recips;
>   }
> 
> and I have tested this anti-spam piece - an

Re: Matt Wright's formMail

[John Brooking]

I must confess I'm not intimately familiar with the
script in question, so I don't completely understand
what the code snippet that drieux included does,
therefore how it is or is not sufficiently secure.
However, I have some more general comments in the way
of clarification.

It seems to me that the *fact* of using the referers
environment variable is not the security risk, but
that relying on it *only* is the risk. My introduction
to this issue was getting publicly flamed on perl
beginners last summer partially for not knowing this.
(Don't worry, the burns healed quickly.) Since then,
I've at least read enough to know that anyone with the
LWP module or any other HTTP API in any language can
build a web client with any referer header they want.
But I would think that means that using referers in
itself is not inherently dangerous, only thinking that
it's doing you any good security-wise is. The danger
that this ignorance makes possible depends on what the
rest of your script does with the input it gets.

Encoding data in the URL - well, all "GET" parameters
work that way, in the broadest definition of the term
"data". The question is, what does the script *do*
with that data? As all good readers of the security
chapter of O'Reilly's "CGI Programming with Perl"
(among others) will know, the biggest security hole
with user input is when that data is used for input to
a shell process. Is that what Matt's script does? If
so, is the generally approved work-around one of the
two fix-ups recommended by that book: (1) filter the
input string to disallow "bad" characters such as
shell escapes, or better yet, (2) use a combination of
fork and exec rather simply opening a pipe to a
process? How does the NMS replacement code handle
this, and what do you all do in similar cases?

- John

--- drieux <[EMAIL PROTECTED]> wrote:
> 
> On Monday, May 13, 2002, at 09:21 , Camilo Gonzalez
> wrote:
> [..]
> > The problems seem to be that it uses the Referer
> environmental variable to
> > exclude spammers and it gives the option of
> encoding data in the URL. I've
> > been told both are considered security risks. My
> ISP does not think even 
> > the
> > latest release addresses these issues and refuses
> to let Formmail on its
> > servers.
> [..]
> 
> in the main I have heard the same things - I can
> appreciate that
> ISP's are at liberty to do as they will - I was just
> trying to
> track down my exposure - given as our ISP is running
> v1.92
> 
> it could be that if one's ISP is doing a lot of
> virtual hosting
> then the simplification of
> 
>   @referers = ('wetware.com','199.108.16.17');
> 
> could get messy hence the following guard code:
> 
>   sub check_url {
> 
>   # Localize the check_referer flag which
> determines if user is 
> valid.local($check_referer) = 0;
> 
>  # If a referring URL was specified, for each
> valid referer, make sure 
> #
>  # that a valid referring URL was passed to
> FormMail.  
> #
> 
>   if ($ENV{'HTTP_REFERER'}) {
>   foreach $referer (@referers) {
>   if ($ENV{'HTTP_REFERER'} =~
> m|https?://([^/]*)$referer|i) {
>   $check_referer = 1;
>   last;
>   }
>   }
>   } else { $check_referer = 1; }
> 
>   # If the HTTP_REFERER was invalid, send back
> an 
> error.if ($check_referer != 1) 
> { &error('bad_referer') }
>   }
> 
> is not sufficiently robust enough
> 
> where that code is preventing spamming is with:
> 
>   @recipients = &fill_recipients(@referers);
> 
>   sub fill_recipients {
>   local(@domains) = @_;
>   local($domain,@return_recips);
> 
>   foreach $domain (@domains) {
>   if ($domain =~ /^\d+\.\d+\.\d+\.\d+$/) {
>   $domain =~ s/\./\\\./g;
>   push(@return_recips,'^[\w\-\.]+\@\[' .
> $domain . '\]');
>   } else {
>   $domain =~ s/\./\\\./g;
>   $domain =~ s/\-/\\\-/g;
>   push(@return_recips,'^[\w\-\.]+\@' .
> $domain);
>   }
>   }
> 
>   return @return_recips;
>   }
> 
> and I have tested this anti-spam piece - and the
> only thing that survives is aimed where it is
> suppose to go.
> 
> As for 'using old perl' - I'm not sure that is an
> 'issue'? is it?
> since this is running in a 5.6 environment.
> 
> or am I missing something here???
> 
> 
> ciao
> drieux
> 
> ---
> 
> 
> -- 
> To unsubscribe, e-mail:
> [EMAIL PROTECTED]
> For additional commands, e-mail:
> [EMAIL PROTECTED]
> 


=
"When you're following an angel, does it mean you have to throw your body off a 
building?" - They Might Be Giants, http://www.tmbg.com

Word of the week: Serendipity, see http://www.bartleby.com/61/93/S0279300.html

__
Do You Yahoo!?
LAUNCH - Your Yahoo! Music Experience
http://launch.yaho

[sorta OT] Re: Matt Wright's formMail

[Michael Kelly]

On 5/13/02 10:49 AM, fliptop <[EMAIL PROTECTED]> wrote:

> i think what you're missing is there's no point in trying to justify
> running any version of any of matt's code - use the drop in replacements
> at sourceforge or take the (quite unnecessary) risk.  it's as simple as
> that.

Ok, I have a question now: What, exactly, started the vendetta that the
entire Perl community seems to have against Matt's Script Archives? Is it
the constant security concerns, or is there something else?

At the moment, MSA at its worst doesn't seem nearly as bad as, say,
Microsoft.

I'm not trying to defend MSA, it's just that I've seen endless trash talked
about it, and, being a relative newcomer to the Perl scene, I'm curious as
to where it all started.

Thanks,
-- 
Michael


-- 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Sendmail -f killing my script!

[David Gilden]

Hello,
I have one updated a script to use the following  '-f'  flag as a way of
preventing SPAM relaying, and it is working fine, 

open(MAIL,"|$mailprog -t -f" . $recipient);  

How ever in the following script

&release_risk_html;  
never gets returned!

# with
# open(MAIL,"|$mailprog -t"); 
# it  works correctly

but not with:

# open(MAIL,"|$mailprog -t -f" . $recipient);  

Can anyone see why this failing?
Thanks,
Dave Gilden 

# the script #

#!/usr/bin/perl

use CGI qw/:standard/;
use CGI::Carp qw(fatalsToBrowser);
use POSIX 'strftime';

$mailprog = '/usr/lib/sendmail';

@referers = ('kayaking.net');

my $recipient = 'webmaster\@kayaking.net, josiem\@kayaking.net';

my $participants_email;

my $qs = $ENV{'QUERY_STRING'};

$line = "=" x72; # Line Separator  


foreach my $key ( param() ) {
my $value = param($key);# Fetch the parameter value
$value =~ s/^\s+|\s+$//g;# Strip whitespaces
param( $key, $value );  # Reassigning the value in the parameter
}




# Retrieve Date
$date = strftime('%A, %B %d, %Y %I:%M %p',localtime) ,"\n";

my $mail_branch =0;

if ( param('step1') ) {
# release_risk
# Send E-Mail
&send_mail;
&release_risk_html;

#   print redirect("http://www.kayaking.net/pages/release_risk.html";);
}
elsif ( param('step2') ) {

# Reg info

$mail_branch =1;

# Send E-Mail
&send_mail;

  print redirect('http://www.kayaking.net/pages/reg_payment_options.html');

}  

elsif ( param('medical') ) {


# Medical info

$mail_branch =2;

# Send E-Mail
 &send_mail;

  print redirect('http://www.kayaking.net/pages/medinfo_step2.html');

}  

  
exit;


# Check Referring URL
# &check_url;

# Parse Form Contents
# &parse_form;

# Check Required Fields
# &check_required;

# Return HTML Page or Redirect User
# &return_html;

sub send_mail {
  
$participants_email =  param('email');

# Open The Mail Program
#open(MAIL,"|$mailprog -t -f" . $recipient);  
# this change kills the
# &release_risk_html,  

open(MAIL,"|$mailprog -t");  # works correctly

print MAIL "To: $recipient\n";
print MAIL "From: $participants_email (" , param('name1') , ")\n";

if (!$mail_branch) {

# reg step 1

my $subject = param("subject") . " for " . param('name1') . "\n";

print MAIL "Subject: $subject\n\n";


print MAIL "$subject\n";
print MAIL "$date\n";
print MAIL "-" x 72 . "\n\n";


foreach my $key (param()){


print MAIL "-" x72,"\n\n" if $key =~ /name1/i;

last if $key =~ /step\d/i;

$val = param($key),

$key =~ s/\d$//;
$key =~ s/(.+)/\u$1/;# Upper Case First letter
# $key =~ s/(.+)/\u$1/;
print MAIL "$line\n\n" if $key =~ /participant/i;

print MAIL "$key: $val\n\n";
}

print MAIL "\n\n";
print MAIL "$line\n" ;
print MAIL 


FST: Release And Assumption Of Risk Agreement





  \@import "/css/list.css";





 
 
 

 




 
 
 
Location
Tours
Rentals
Classes
Just For Kids
Sales & Specials
Manufacture's Links
Meet Our Staff
Events Schedule

 

Full Spectrum Tours, Inc. asks that
you please read and consider 
this release carefully.

RELEASE AND ASSUMPTION OF RISK
AGREEMENT
In consideration of the services of Full Spectrum Tours, Inc., their agents,
owners, 
officers, volunteers, participants, employees, and all other persons or entities
acting 
in any capacity on their behalf (hereinafter collectively referred to as "FST"),
I 
hereby agree to release and discharge FST, on behalf of myself, my children, my
parents, 
my heirs, assigns, personal representative and estate as follows:

I acknowledge that kayaking entails known and unanticipated risks which
could 
result in physical or emotional injury, paralysis, death, or damage to myself,
my 
property, or to third parties. I understand that such risks simply cannot be
eliminated 
without jeopardizing the essential qualities of this activity. The risks
include, 
among other things, physical exertion, inclement weather, capsizing of kayaks,
immersion 
in water, accidents or illness in remote areas, equipment failure and
malfunction, 
drowning, accidents involving third parties unknown to FST, loss or damage to
personal 
property. Furthermore,
I expressly agree and promise to accept and assume all of the risks existing
in 
this activity. My participation in this activity is purely voluntary, and I
elect 
to participate in spite of the risks.
I hereby voluntarily release, forever discharge, and agree to indemnify and
hold 
harmless FST from any and all claims, demands, or causes of action, which are in
any 
way connected with my participation in this activity or my use of FST's
equipment 
or facilities, including any such claims

Re: Matt Wright's formMail

[fliptop]

drieux wrote:

> 
> or am I missing something here???


i think what you're missing is there's no point in trying to justify 
running any version of any of matt's code - use the drop in replacements 
at sourceforge or take the (quite unnecessary) risk.  it's as simple as 
that.


-- 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Matt Wright's formMail

[drieux]

On Monday, May 13, 2002, at 09:21 , Camilo Gonzalez wrote:
[..]
> The problems seem to be that it uses the Referer environmental variable to
> exclude spammers and it gives the option of encoding data in the URL. I've
> been told both are considered security risks. My ISP does not think even 
> the
> latest release addresses these issues and refuses to let Formmail on its
> servers.
[..]

in the main I have heard the same things - I can appreciate that
ISP's are at liberty to do as they will - I was just trying to
track down my exposure - given as our ISP is running v1.92

it could be that if one's ISP is doing a lot of virtual hosting
then the simplification of

@referers = ('wetware.com','199.108.16.17');

could get messy hence the following guard code:

sub check_url {

# Localize the check_referer flag which determines if user is 
valid.  local($check_referer) = 0;

 # If a referring URL was specified, for each valid referer, make sure 
#
 # that a valid referring URL was passed to FormMail.  
#

if ($ENV{'HTTP_REFERER'}) {
foreach $referer (@referers) {
if ($ENV{'HTTP_REFERER'} =~ m|https?://([^/]*)$referer|i) {
$check_referer = 1;
last;
}
}
} else { $check_referer = 1; }

# If the HTTP_REFERER was invalid, send back an 
error.  if ($check_referer != 1) 
{ &error('bad_referer') }
}

is not sufficiently robust enough

where that code is preventing spamming is with:

@recipients = &fill_recipients(@referers);

sub fill_recipients {
local(@domains) = @_;
local($domain,@return_recips);

foreach $domain (@domains) {
if ($domain =~ /^\d+\.\d+\.\d+\.\d+$/) {
$domain =~ s/\./\\\./g;
push(@return_recips,'^[\w\-\.]+\@\[' . $domain . '\]');
} else {
$domain =~ s/\./\\\./g;
$domain =~ s/\-/\\\-/g;
push(@return_recips,'^[\w\-\.]+\@' . $domain);
}
}

return @return_recips;
}

and I have tested this anti-spam piece - and the
only thing that survives is aimed where it is suppose to go.

As for 'using old perl' - I'm not sure that is an 'issue'? is it?
since this is running in a 5.6 environment.

or am I missing something here???


ciao
drieux

---


-- 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Matt Wright's formMail

[Kevin Meltzer]

On Mon, May 13, 2002 at 09:14:03AM -0700, drieux ([EMAIL PROTECTED]) said something 
similar to:
> which version of the code is the 'problem' version?
> 
> what is the current specific 'security' issue?
> 
> there was a security update to v1.92 on 04/21/02
> has there been some new issue arise??? since then?

Does it matter? They are scripts by Matt.. recurring security issues,
and (unless he has done some MAJOR reworking) they are written in Perl
4. Why would anyone want to run these in production?

Cheers,
Kevin

-- 
[Writing CGI Applications with Perl - http://perlcgi-book.com]
My PID is Inigo Montoya. You kill -9 my parent process. Prepare to vi.

-- 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Matt Wright's formMail

[Camilo Gonzalez]

The problems seem to be that it uses the Referer environmental variable to
exclude spammers and it gives the option of encoding data in the URL. I've
been told both are considered security risks. My ISP does not think even the
latest release addresses these issues and refuses to let Formmail on its
servers. 

-Original Message-
From: drieux [mailto:[EMAIL PROTECTED]]
Sent: Monday, May 13, 2002 11:14 AM
To: cgi
Subject: Re: Matt Wright's formMail



On Monday, May 13, 2002, at 08:52 , Kevin Meltzer wrote:

>
> try the rewrite from NMS:
>
> http://nms-cgi.sourceforge.net/
>
> Cheers,
> Kevin

which version of the code is the 'problem' version?

what is the current specific 'security' issue?

there was a security update to v1.92 on 04/21/02
has there been some new issue arise??? since then?


ciao
drieux

---


-- 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

-- 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Matt Wright's formMail

[drieux]

On Monday, May 13, 2002, at 08:52 , Kevin Meltzer wrote:

>
> try the rewrite from NMS:
>
> http://nms-cgi.sourceforge.net/
>
> Cheers,
> Kevin

which version of the code is the 'problem' version?

what is the current specific 'security' issue?

there was a security update to v1.92 on 04/21/02
has there been some new issue arise??? since then?


ciao
drieux

---


-- 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

CGI and frames

[Sven Bentlage]

Hi !
Right now I'm using a cgi-script to create a few html pages.
Somewhere I  read the I also can create framesets plus the dependent 
html pages via a CGI script.

Where can I find a manual on how to do that?  Or can anybody tell me?

Thanks for your help.

Sven


-- 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Matt Wright's formMail

[Camilo Gonzalez]

Thank you all for this link.

-Original Message-
From: Kevin Meltzer [mailto:[EMAIL PROTECTED]]
Sent: Monday, May 13, 2002 10:53 AM
To: Camilo Gonzalez
Cc: [EMAIL PROTECTED]
Subject: Re: Matt Wright's formMail


try the rewrite from NMS:

http://nms-cgi.sourceforge.net/

Cheers,
Kevin

On Mon, May 13, 2002 at 10:07:54AM -0500, Camilo Gonzalez
([EMAIL PROTECTED]) said something similar to:
> I've just been informned by my ISP that Matt Wright's formMail will no
> longer be allowed on any of their servers due to glaring security
concerns.
> I know now I shouldn't have used it but back then I was stupid and not a
> subscriber to this fine list. Let this serve as a warning to those still
> using his crap. Does anyone have the URL of that site that offers
> alternatives to Matt's scripts?
> 
> #!/usr/local/bin/perl
> print <<' EOF'
>  Camilo Gonzalez
>  Web Developer
>  Taylor Johnson Associates
>   [EMAIL PROTECTED] 

>   www.taylorjohnson.com  
>  EOF
> 
> 
>  

-- 
[Writing CGI Applications with Perl - http://perlcgi-book.com]
Disciple   - Master, why isn't everything perfect?
Zen Master - It is.

-- 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Matt Wright's formMail

[Kevin Meltzer]

try the rewrite from NMS:

http://nms-cgi.sourceforge.net/

Cheers,
Kevin

On Mon, May 13, 2002 at 10:07:54AM -0500, Camilo Gonzalez 
([EMAIL PROTECTED]) said something similar to:
> I've just been informned by my ISP that Matt Wright's formMail will no
> longer be allowed on any of their servers due to glaring security concerns.
> I know now I shouldn't have used it but back then I was stupid and not a
> subscriber to this fine list. Let this serve as a warning to those still
> using his crap. Does anyone have the URL of that site that offers
> alternatives to Matt's scripts?
> 
> #!/usr/local/bin/perl
> print <<' EOF'
>  Camilo Gonzalez
>  Web Developer
>  Taylor Johnson Associates
>   [EMAIL PROTECTED]  
>   www.taylorjohnson.com  
>  EOF
> 
> 
>  

-- 
[Writing CGI Applications with Perl - http://perlcgi-book.com]
Disciple   - Master, why isn't everything perfect?
Zen Master - It is.

-- 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Matt Wright's formMail

[fliptop]

Camilo Gonzalez wrote:

> I've just been informned by my ISP that Matt Wright's formMail will no
> longer be allowed on any of their servers due to glaring security concerns.
> I know now I shouldn't have used it but back then I was stupid and not a
> subscriber to this fine list. Let this serve as a warning to those still
> using his crap. Does anyone have the URL of that site that offers
> alternatives to Matt's scripts?


http://nms-cgi.sourceforge.net/

they have drop-in replacements for most of matt's old code.


-- 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Matt Wright's formMail

[Lisa Nyman]

Hi,

Not Matt's Scripts

http://nms-cgi.sourceforge.net/scripts.shtml

-lisa


-- 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Matt Wright's formMail

[Camilo Gonzalez]

I've just been informned by my ISP that Matt Wright's formMail will no
longer be allowed on any of their servers due to glaring security concerns.
I know now I shouldn't have used it but back then I was stupid and not a
subscriber to this fine list. Let this serve as a warning to those still
using his crap. Does anyone have the URL of that site that offers
alternatives to Matt's scripts?

#!/usr/local/bin/perl
print <<' EOF'
 Camilo Gonzalez
 Web Developer
 Taylor Johnson Associates
  [EMAIL PROTECTED]  
  www.taylorjohnson.com  
 EOF