nixCraft

Hi:

I have a very old and simple form Script written in Perl (see it below), which has no kind of security and probably can easily be hacked. The problem is that I have several domains / sites using it and I don't have enough time now to move to another Script.

So, all I need is to implement some level of security on it, by adding a control to avoid that forms hosted elsewhere could use it. So, just Domains hosted at my Server could use it.

I have seen controls like this in some Scripts, by using an array, like for instance @referrers, where I would be adding the Domains names that would be authorized. But considering that there are more than 200 Domains using it, I would like to have something smarter, like controlling through IP address.

Another control would be not to permit passing HTML tags or creating CC or BCC fields.

Please, looking forward to a help. Thanks a lot in advance.

Mario./
__________________________________________________ _______________________________

#!/usr/local/bin/perl
$mailprog = '/usr/lib/sendmail';
print "Content-type: text/html\n\n";
if ($ENV{'REQUEST_METHOD'} eq "get") { $buffer = $ENV{'QUERY_STRING'}; }
else { read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'}); }
@nvpairs = split(/&/, $buffer);
foreach $pair (@nvpair
{
($name, $value) = split(/=/, $pair);

$value =~ tr/+/ /;
$value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;

$FORM{$name} = $value;
}
print <<MESSAGES;
<HTML>
<HEAD>
<TITLE>$FORM{'HEADER'}</TITLE>
<STYLE TYPE="text/css"> A:link, A:vlink { text-decoration: none; } </STYLE>
<link rel="stylesheet" href="http://www.multisites.com.br/estilos/padrao.css" type="text/css">
</HEAD>
<BODY BGCOLOR=ffffff text=000000 background="">
<TABLE width=610 cellpadding=0 cellspacing=0 border=0>
<TR>
<TD valign=top>
<center><font class=texto12><b>$FORM{'HEADER'}</b></font></center>
<FONT class=texto11>
<blockquote>
<HR>
Hi <B>$FORM{'NOME'}</B>, thank you for contacting us. We will be getting in touch.<BR>
<BR>
<CENTER><a href="javascript:history.go(-1)"><font class=texto10><b>BACK</b></font></a></CENTER>
<BR>
</blockquote>
<BR>
</FONT>
</TD></TABLE>
</BODY></HTML>
MESSAGES
$recipient = $FORM{'DESTINO'};
open (MAIL, "|$mailprog $recipient") || die "$mailprog not available.\n";
print MAIL "From: $FORM{'EMAIL'} ($FORM{'NOME'})\n";
print MAIL "Subject: $FORM{'ASSUNTO'} \n\n";
print MAIL "_________________________________________________ __________\n\n";
foreach $pair (@nvpair
{
($name, $value) = split(/=/, $pair);
$value =~ tr/+/ /;
$value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
$name =~ tr/+/ /;
$name =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
if (($value ne "") &&
($name ne "DESTINO") &&
($name ne "HEADER"))
{
print MAIL "$name: ";
print MAIL "$value\n\n";
}
}
print MAIL "\n";
close (MAIL);