Hello Everybody,
My provider always monitor all scripts, before put them in cgi-bin folder, because of security.
And when I send Cliff formail with autoresponder CGI script to my provider, they answer me this:
"Sorry, but we can't install this script because there is possibility for secure bugs." They also said that the file "response.txt" use by the html form, and that can be dangerous for security. "Except this, all the other parts of script are correct."

Now what i want you guys to help me is to integrate the response.txt file in the below script and i would remove the advanced function in the form which mentions autoresponder=response.txt .
Hope you guys understand what i mean to say.
===Cgi file content=======
#!/usr/bin/perl
##############################################################################
# Copyright 2001 BBSI #
# Created 14/4/01 #
##############################################################################

# Enter the location of sendmail.
$mailprogram = "/usr/lib/sendmail -t";

# Enter the fields that are required. They should each be in quotes and
# separated by a comma. If no fields are required, change the next line
# to @required = ();
@required = ('email','subject');

# Enter your e-mail address. Be sure to put a \ in front of the @.
# (user@domain.com becomes user\@domain.com)
$youremail = "webmaster\@stefan-doo.co.yu";


# Put the posted data into variables

read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
@pairs = split(/&/, $buffer);
foreach $pair (@pairs) {
($name, $value) = split(/=/, $pair);
$value =~ tr/+/ /;
$value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
$FORM{$name} = $value;
}

# Check for all required fields

foreach $check(@required) {
unless ($FORM{$check}) {
print "Content-type: text/html\n\n";
print "<html><head><title>Missing Information</title></head>\n";
print "<body><h1>Missing Information - IZOSTAVLJENA INFORMACIJA</h1>
\n";
print "I'm sorry, but it would appear that you've forgotten to\n";
print "fill out the $check field. Please click\n";
print "back and try again.\n";
print "Zaboravisli ste da popunite $sceck polje. Molim\n";
print "kliknite na dugme BACK i pokusajte ponovo.\n";
print "</body></html>\n";
exit;
}
}

# Check the senders email

if ($FORM{'email'}) {
unless ($FORM{'email'} =~ /\w+@\w+.\w+/) {
print "Content-type: text/html\n\n";
print "<html><head><title>Bad E-mail</title></head>\n";
print "<body><h1>Bad E-mail - Nepravilna napisan e-mail</h1>
The e-mail address that you've\n";
print "entered, $FORM{'email'}, is invalid. Please click back and\n";
print "try again.\n";
print "E-mail adresa koju ste napisali, $FORM{'email'}, je nepravilna. Kliknite BACK\n";
print "i pokusajte ponovo.\n";
exit;
}
}

open (MAIL,"|$mailprogram");
print MAIL "To: $youremail\n";
print MAIL "From: $FORM{'email'}\n";
print MAIL "Subject: $FORM{'subject'}\n";
print MAIL "Hello. The following information has been submitted:\n\n";
print MAIL "Zdravo. Vas unos izgleda ovako:\n\n";
foreach $pair (@pairs) {
($name, $value) = split(/=/, $pair);
$value =~ tr/+/ /;
$value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
unless ($name eq "response" || $name eq "email" || $name eq "subject") {
print MAIL "$name: $value\n";
}
}
close MAIL;

if ($FORM{'response'} && $FORM{'email'}) {
open (RESPONSE, $FORM{'response'});
@response = <RESPONSE>;
close(RESPONSE);
open (MAIL,"|$mailprogram");
print MAIL "To: $FORM{'email'}\n";
print MAIL "From: $youremail\n";
print MAIL "Subject: $FORM{'subject'} -- Autoresponse\n";
foreach $line (@response) {
print MAIL "$line";
}
print MAIL "Hvala vam. Vase pismo je stiglo na e-mail webmastera i administratora firme STEFAN doo.\n";
print MAIL "Odgovor cete dobiti u najkracem vremenu. Preporucujem da pogledate sledece sajtove:\n";
print MAIL "http://www.stefan-doo.co.yu i http://www.jasmil.co.yu\n";
print MAIL "Thank you. We recieved your e-mail, and we will answer as soon as possible.";
print MAIL "Please, visit these great sites:";
print MAIL "http://www.stefan-doo.co.yu and http://www.jasmil.co.yu";
close MAIL;
}

print "Content-type: text/html\n\n";
print "<html><head><title>Thank you!</title></head>\n";
print "<body><h1>Thank you! - HVALA!</h1>
Thanks for your input! \n";
if ($FORM{'response'} && $FORM{'email'}) {
print "You should receive an autoresponse shortly. U najkracem vremenu dobicete automaski e-mail.<p>\n";
}
print "Please click back. Kliknite na BACK.\n";
=====end content of the cgi file

==== the content fo response.txt====
Thank you for contacting me.
this is an auto response to inform u that i've recieved your mail
Thanks
San
=====end Response.txt=====

Please help me to add the content of response.txt file into the script and remove the function which asks for response.txt file so that there is no security bugs

Thanks in advance
San Trino

Change:

to

Installs:http://wiredon.net/gt
FAQ:http://www.perlmad.com

And for those that are curious, it's this:

open (RESPONSE, $FORM{'response'});

that is just awful. For instance, someone can enter 'response=/etc/passwd' into the form (or manually in the url), and have the system password file mailed to them. You could do much more and actually run system commands.

Ugly, ugly, ugly.

If you still want it in a file, you can tighten it up by saying:

my ($safe_file) = $FORM{response} =~ /^(\w+\.\w+)$/;
if (! $safe_file ) {
die "Hacker!";
}
open (RESPONSE, "< $safe_file") or die "Can't open: $safe_file ($!)";

Cheers,

Alex

--
Gossamer Threads Inc.

Hello,
Thanks for the wonderful reply. It really worked. My providers have no objection now but i m facing a new problem now.
Everything is correct about all the other - I recieved e-mails on shainu.tian@yahoo.com. If something is not write correctly in form, all alert messages are OK. BUT: Visitor doesn't recieve autorespond message. That is only one problem. I see on that on this way:
By pressing on SEND button on the form.html page, there should be 3 jobs:
1) sending e-mail to me

2) redirect to THANK YOU page (that is defined in form.cgi file). I cant see this message "You should recieve an autoresponse shortly ..." when that "Thank you" page appears.

3) autoresponse message to the visitor e-mail address
This doesn't work. I think, (I know very little about Perl), that some
message must be send on the users address which he wrote in a form :"E-mail", on form.html page.

All 3 jobs probably must be done at the same time (redirect to "Thank you", send e-mail to me, and send e-mal to visitor (autoresponse).

Please help me with this again. all the script is same as above and i have done the changes as directed by Paul(thank you Paul)
Thanks again in advance

San Trino

....and just to prove......

http://www.wiredon.net/cliff.txt

Installations:http://www.wiredon.net/gt/