Depending on which version of formmail.pl, no customer should be allowed to run that script on their site. It virtually guarantees that your sendmail will be used by spammers to relay spam. It is like a customer putting a bomb in your office and you take a hands-off approach, refusing to call the bomb squad because it is a customer bomb. Just because it's a customer doesn't mean you have to let them put any vulnerable script they want on YOUR server. Would you take the same position if they put malware on their site, or an unpatched version of Wordpress that will get hacked? The customer is not always right.
-----Original Message----- From: Blueonyx <blueonyx-boun...@mail.blueonyx.it> On Behalf Of Dirk Estenfeld Sent: Friday, January 4, 2019 8:08 AM To: BlueOnyx General Mailing List <blueonyx@mail.blueonyx.it> Subject: [BlueOnyx:22579] Re: 5209R: CGI-Wrapper working again Hello, it is not my script, it is a customer script. Yes I know that there are a bunch of better scripts. But it is not my position to change customer owned websites. I have changed the configuration from the wrapper to a ScriptAlias directive in the apache configuration. So I do not have the error any longer. However it should be something like this: CGIWrap Error: Server UserID Mismatch CGIWrap Error: Server UserID Mismatch The userid that the web server ran cgiwrap as does not match the userid that was configured into the cgiwrap executable. This is a configuration/setup problem with cgiwrap on this server. Please contact the server administrator. Best regards, Dirk --- blackpoint GmbH Friedberger Straße 106b 61118 Bad Vilbel -----Ursprüngliche Nachricht----- Von: Blueonyx <blueonyx-boun...@mail.blueonyx.it> Im Auftrag von Michael Stauber Gesendet: Donnerstag, 3. Januar 2019 19:39 An: blueonyx@mail.blueonyx.it Betreff: [BlueOnyx:22578] Re: 5209R: CGI-Wrapper working again Hi Dirk, > hmm, unfortunately it is not working for me. I can name it formmail.pl > or formail.cgi, I can place it in cgi-bin directory or on some other > place. I always get the ownerchip error message... Uuuuh. That formmail script? I'd bin it. Like Ken said: If it's what I think it is, then it's really shitty. What's the exact error message you get in the browser? I've seen two different ones now in my tests and I'd like to know which of these you see. FWIW: I've now found a 5209R where neither *.cgi nor *.pl works, even if everything is configured correctly (UID, GID, permissions). And that runs the same version of cgiwrap as the box where at least *.pl works. So yeah, there is something is fishy with cgiwrap again. Maybe it's related to a recent OS update. I'll have to dig into that. -- With best regards Michael Stauber _______________________________________________ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx _______________________________________________ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx