Web Hosting Forums

Results 1 to 4 of 4

This is a discussion on Form Security in the Hosting Talk & Chit-chat forum
I set up a contact form the other day for a new website using the latest version of Matt's FormMail script. I've never used a ...

  1. #1
    Old Hillbilly Connie's Avatar
    Join Date
    Sep 2001
    Location
    Hills of Missouri
    Posts
    2,491

    Form Security

    I set up a contact form the other day for a new website using the latest version of Matt's FormMail script.

    I've never used a contact form before, and I have a couple of questions in regard to security.

    I renamed the script, but on the form page I have to list the script location. So how is that secure?

    Even though I listed the email address in the from script, I have to list is on the form page or I get an error.

    I know hacker bots are usually searching the cgi-bin for certain file names, but what keeps them from using a bot to search for form pages, and get the file name off the form page?

    Wouldn't that allow them access to the script?

    In regard to email scrappers, I know they are usually looking for a mail to link, but why couldn't they program a bot to search form pages for a send to email address?

  2. #2
    Community Leader jason's Avatar
    Join Date
    Sep 2001
    Location
    Rochester, NY
    Posts
    5,884
    Yes, Connie, there are still holes in the FormMail setup. Band-aids are intended to help prevent infection, they don't guarantee against it.

    There are many, many bots out there that just try various common "formmail" addresses, like /formmail.cgi, /cgi-bin/formmail.cgi, /formmail.pl, etc., so changing the file name prevents against those. It doesn't prevent bots that scan pages looking for forms. BAck when the formmail exploits were at their prime the bots weren't generally that sophisticated, but they are becomming smarter and smarter by the day. And there are bots that scan for anything that looks like an email address on a page, regardless of whether its in a mailto link or otherwise.

    I personally haven't used FormMail in many years. Instead I write my own scripts that don't expose email addresses on the client side. Since I know that's probably out of your league, perhaps consider using a different form-to-mail script. There are a ton out there. I believe that I even once saw a derivative of Matt's formmail that matched a list of identifiers to email addresses so that you could just use a generic identifier instead of putting teh whole email address in the form. Another common method that I've seen used it to obscure the email address using HTML entities (the &#...; codes). Although I consider this a pretty weak defense (it would be rather trivial for a bot to decode the entities) it will deter some of the dumber bots.

    Computer security is a moving target. What is a best practice one day can literally be obsolete the next.

    --Jason
    Jason Pitoniak
    Interbrite Communications
    www.interbrite.com www.kodiakskorner.com

  3. #3
    Old Hillbilly Connie's Avatar
    Join Date
    Sep 2001
    Location
    Hills of Missouri
    Posts
    2,491
    Thanks Jason. I'll look for another form.

  4. #4
    Loyal Client
    Join Date
    Nov 2005
    Posts
    0
    A drop-in replacement for Matts script, with much better security, can be found here, called nms FormMail.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •