Preventing Hackers???

Anon

I had a perl formmail script on one of my web pages that got hacked. This form was a Matt Kruse script with lots of security holes. I didn't know any better because I just know enough Perl to get by and was advised to use this script by someone I thought new better. My SA took the script off the sight and won't let me put any more perl forms on there.

My SA tells me that PHP forms are more secure. My question is how and why are PHP scripts more secure than Perl scripts?

I found a PHP script that's supposed to fall right in and replace this particular script. It's called PHPFormMail and I found it a http://php.resourceindex.com/.

Does anyone know about this particular script and can anyone tell me why if my site has been targeted to this point that they couldn't also breach a PHP script.

balsdorf

Not being an expert in Perl I can't directly compare them. However, I know that even with really horrible PHP code it is difficult for someone to exploit it. With a php script that accesses a database it might be possible to view/change data that was supposed to be offlimits, but actually having a box hacked via a PHP script I have not heard of.

Anon

Thanks Bryan, After what happened with my script, I am really gunshy about any form mail type script so why they are more secure is a prime interest to me right now.

A little background. The hacker(s) got the path to my formmail script and sent out thousands of Life Insurance and Debt Consolidation adds to AOL accounts via my script. So, when they clicked replay, the emails were sent back to me and all the email headers said it came from me. I got hundreds of remove emails and many complaints to my server administrator and he cut off my cgi-bin privledges and won't let me put any more perl scripts on it. I only have permission to put PHP scripts out there until I can prove that I've plugged up all the security holes. I really don't care what I use as long as I get my form mail working again and securely this time.

Anon

You may wanna check back with Matts Scripts. The old FormMail.pl (or fmail.pl) script allowed anyone to send through it, which essentially created an open relay system. He has upgraded the script since and you now have to specify the host that the mail comes from. I don't remember the version numbers though.

Anon

You could also put a simple check for HTTP_REFERRER at the beginning of the script to check whether the request is coming from the page with your form.

Raoul

Anon

Matt's formmail script does have a feature that allows for defining referrers that are allowed to make use of the script. However this can be defeated by a hacker because the $HTTP_REFERER is an environment variable sent by the browser. They could make their own program that posts to the page using an acceptable $HTTP_REFERER. Therefore, that method doent offer much protection.

What is the formmail script supposed to do?

adavis

This is exactly what happened. The emails looked like they were coming from me. I got some very kind AOL people to forward these spam emails back to me. I checked all the headers and had some people much more knowledgable than myself do the same thing. We all came to the same conclusion. The emails came from my webpage, but I did't send them, so a hacker did exactly what you said in the message above.

van__

Sounds like was a script kiddie rather than a hacker... or more appropriately cracker, since hackers don't actually break into or exploit services except for in the movies.

Anyway, PHP is on it's face more secure.
Why?

Because PHP is a higher level language than perl. Higher means that it is farther removed from the actual system resources that it interfaces with and has wrappers that handle every little task for it. The security depends on the interface wrappers being secure. While Perl, though not as low a language as say C or Java does act as a very low language on your shell, and thus can be exploited to command some nasty processes if care is not taken.

[deleted]

Well who ever did this was sending emails out with me email address in the From: line advertising Life Insurance and Debt Consolidation with accompaning links. The links went to some pretty snazzy looking single page websites which contained forms to request info.

I mostly understand what you're saying about the security of the languages but if there's a PHP script that's supposed to just fall into the Matt Kruse formmail script with the same hidden fields being passed and all, wouldn't the hole still be there. Also, the script I used did have the proper refers set. Now if PHP act kind of like ASP and you can embed it in your html, then I understand the improved security there.

Thanks for the advise,
Alisa

van__

Well as with any security concern, the level of protection is up to you.

Do you place your scripts in a protected area or do you just leave them out in the open for anyone to play with?

As with anything else, it's up to you to look after your own belongings. There is no hack proof script out there. So take care to put anything that would potentially allow a user to access certain features that may be detrimental in a restricted area where only authorized users are allowed.

If that's not possible, then you need to look at custom solutions rather than relying on free scripts that are public domain.

The real weakness here is that a public domain script, especially ones that are popular as they are easily exploited since the source code is easily gotten ahold of to analyze for vulnerability.

So as long as you use code that is free and not part of a real open source community project (such as a free script left to die on a script archive) then you are chancing a break in by the next script kiddie who finds your toys out in the open.