Menu
▾
▴
nms-cgi-devel — Developers discussion for NMS CGI programs
You can subscribe to this list here.
| 2001 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(90) |
Dec
(25) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2002 |
Jan
(183) |
Feb
(124) |
Mar
(123) |
Apr
(75) |
May
(49) |
Jun
(60) |
Jul
(58) |
Aug
(41) |
Sep
(27) |
Oct
(30) |
Nov
(13) |
Dec
(19) |
| 2003 |
Jan
(119) |
Feb
(70) |
Mar
(5) |
Apr
(16) |
May
(3) |
Jun
(1) |
Jul
|
Aug
|
Sep
(1) |
Oct
(3) |
Nov
(4) |
Dec
(7) |
| 2004 |
Jan
(9) |
Feb
|
Mar
(1) |
Apr
(7) |
May
(12) |
Jun
(4) |
Jul
(11) |
Aug
(17) |
Sep
(3) |
Oct
(15) |
Nov
(7) |
Dec
(2) |
| 2005 |
Jan
(4) |
Feb
(7) |
Mar
(2) |
Apr
(2) |
May
|
Jun
(1) |
Jul
(3) |
Aug
(1) |
Sep
(9) |
Oct
(4) |
Nov
(1) |
Dec
|
| 2006 |
Jan
(5) |
Feb
(7) |
Mar
(19) |
Apr
(8) |
May
(6) |
Jun
(2) |
Jul
(1) |
Aug
|
Sep
(1) |
Oct
(1) |
Nov
(1) |
Dec
(1) |
| 2007 |
Jan
(1) |
Feb
|
Mar
(4) |
Apr
(2) |
May
(2) |
Jun
(1) |
Jul
(1) |
Aug
(1) |
Sep
|
Oct
|
Nov
|
Dec
(1) |
| 2008 |
Jan
|
Feb
(3) |
Mar
|
Apr
(1) |
May
|
Jun
(2) |
Jul
|
Aug
|
Sep
|
Oct
(4) |
Nov
|
Dec
|
| 2009 |
Jan
(2) |
Feb
(2) |
Mar
|
Apr
|
May
(1) |
Jun
|
Jul
|
Aug
(1) |
Sep
|
Oct
|
Nov
|
Dec
|
| 2010 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(1) |
Nov
|
Dec
|
| 2012 |
Jan
(2) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Jonathan S. <jn...@ge...> - 2004-08-11 14:45:02
|
On Tue, 2004-08-10 at 06:39, webmaster wrote: (I wrote): > > > it would be better to be have a redirect configured in the .trc file > > - or indeed have TFmail.pl actually have another potential template > > that could be filled out from the GET request query string - that way > > it would be possible for people to create links to a form with some > > of the fields filled in or with a different config or other things > > that I can't think of at the moment. > > Those could indeed be very useful. The latest version of TFmail has just been uploaded to http://nms-cgi.sf.net/scripts.shtml it includes the option to return a 405 status on a GET request, redirect to another page or display a template. This is all documented in the README. /J\ |
|
From: Jonathan S. <jn...@ge...> - 2004-08-11 14:45:02
|
On Tue, 2004-08-10 at 06:39, webmaster wrote: (I wrote): > > > it would be better to be have a redirect configured in the .trc file > > - or indeed have TFmail.pl actually have another potential template > > that could be filled out from the GET request query string - that way > > it would be possible for people to create links to a form with some > > of the fields filled in or with a different config or other things > > that I can't think of at the moment. > > Those could indeed be very useful. The latest version of TFmail has just been uploaded to http://nms-cgi.sf.net/scripts.shtml it includes the option to return a 405 status on a GET request, redirect to another page or display a template. This is all documented in the README. /J\ |
|
From: Jonathan S. <jn...@ge...> - 2004-08-10 09:11:05
|
On Tue, 2004-08-10 at 06:39, webmaster wrote:
> Jonathan Stowe wrote:
>
> > On Mon, 2004-08-09 at 17:17, webmaster wrote:
> >
> >> webmaster wrote:
> >>
> >> 1. conditionally rewrite the url to the TFmail script if request
> >> method is not post.
> >>
> >> 2. create error405.php
> >
> > It could be done by changing the single line:
> >
> > die 'request method must be "POST"';
> >
> > to:
> >
> > print $treq->cgi()->header(-status => 405);
> > exit;
>
> Thanks for the tip. I tried to implement it, but the results were a
> little strange. The response from the server after the change was
> "HTTP/1.1 405 OK". Only the numeric code has changed; the text message
> is the same. That's a bit confusing, I think.
>
Yes, it is server dependent on what the string is - changing the numeric
405 to the quoted string '405 Request Method Not Allowed' will do the
trick.
> I also tested it by changing the code in the script to 403, and got
> similar results: "HTTP/1.1 403 OK".
>
> > and creating the appropriate 405 error page if required.
>
> I've configured Apache to use 405.php as my error page for 405 errors,
> but it is not used when I access TFmail with GET.
>
> > it would be better to be have a redirect configured in the .trc file
> > - or indeed have TFmail.pl actually have another potential template
> > that could be filled out from the GET request query string - that way
> > it would be possible for people to create links to a form with some
> > of the fields filled in or with a different config or other things
> > that I can't think of at the moment.
>
> Those could indeed be very useful.
>
Well the latest development version of TFmail.pl in the CVS now has this
functionality, we are aiming to make a release sometime this week. If
you have access to CVS then you can get it using the instructions here:
http://sourceforge.net/cvs/?group_id=39625
for some reason the "browse cvs repository" function isn't up to date.
> > Anyway thanks for your input
>
> Sure. I hope I didn't just add more noise.
|
|
From: Jonathan S. <jn...@ge...> - 2004-08-09 16:36:14
|
On Mon, 2004-08-09 at 17:17, webmaster wrote:
> webmaster wrote:
>
> >>> Application Error
> >>>
> >>> An error has occurred in the program
> >>> request method must be "POST"
>
> > I think sending "405 method not allowed" is the best course
> > of action.
>
>
> I've come with a bit of a hack to generate the correct response,
> and thought I'd share it with the list. This hack requires Apache,
> mod_rewrite, and PHP. There are 2 steps:
>
> 1. conditionally rewrite the url to the TFmail script if request method
> is not post. I'll assume that TFmail is located in /cgi-bin/
>
> RewriteEngine on
> RewriteBase /
> RewriteCond %{REQUEST_METHOD} !POST
> RewriteRule ^cgi-bin/TFmail.pl$ /error405.php [L]
>
>
> 2. create error405.php, and add the following at the top, *before*
> any html is sent out
>
> <?php
> header("Content-Type: text/html; charset=ISO-8859-1", "true", "405");
> ?>
>
> Set the charset to whatever you use. The second argument ensures
> that PHP replaces any content-type header it might have sent out.
> The "405" tells PHP to send that code as the http response code.
>
It could be done by changing the single line:
die 'request method must be "POST"';
to:
print $treq->cgi()->header(-status => 405);
exit;
and creating the appropriate 405 error page if required.
>
>
> If TFmail users would prefer that a GET request simply return the user
> to the contact form page, you can modify step (1) above and skip step
> (2). Thus, this solution requires only Apache and mod_rewrite. Let's
> assume that the form is located at /contactform.html
>
>
> RewriteEngine on
> RewriteBase /
> RewriteCond %{REQUEST_METHOD} !POST
> RewriteRule ^cgi-bin/TFmail.pl$ /contactform.html [R,L]
>
>
> Users may want to send a permanent redirect in such cases. Consult the
> Apache manual for details on how to fine tune this.
I think that in this case it would be better to be have a redirect
configured in the .trc file - or indeed have TFmail.pl actually have
another potential template that could be filled out from the GET request
query string - that way it would be possible for people to create links
to a form with some of the fields filled in or with a different config
or other things that I can't think of at the moment.
Anyway thanks for your input
/J\
|
|
From: Jonathan S. <jn...@ge...> - 2004-08-09 12:16:43
|
I've copied this to the developers list in case anyone has the time to make the change, document it and then do a release. On Fri, 2004-08-06 at 20:17, Brett Johnson wrote: > I guess you're right about the formatting, so this will take a slight turn here. > > Just because you CAN doesn't mean you SHOULD. > Oh, I'm with you there - on further inspection it appears that we inherited the format of the e-mail address from the MSA FormMail that ours is intended to replace. I would have suggested that you look at the NMS TFmail which is really where the focus of our development is going as far as Form to Email programs - but I see that this has the same formatting as well. I think what we would like to do would be to make the formatting optional, so that we could have by default the current style and by altering the configuration the more conventional "Display Name <address>" format (the option being disabled when $emulate_matts_code is set to true). Of course somebody may have a better idea. The change is in itself trivial, but documentation has to be changed, test suites updated and a new release made which is probably the best part of somebodies day .... now if we were to get a patch for some of this stuff... Anyway thanks for your feedback. /J\ |
|
From: Jonathan S. <jn...@ge...> - 2004-08-09 11:39:44
|
On Fri, 2004-08-06 at 18:23, webmaster wrote: > I'm testing TFmail.pl, and have got it to work when I use a contact > form. The message is sent, the success page is presented to the client. > But I'm trying to account for all posibilities. Suppose someone > bookmarks the page to remind themselves of their message, and tries to > return to it in a later browser session? Here's the error that comes up: > > > Application Error > > An error has occurred in the program > > request method must be "POST" at /home/julie/bonfete/cgi-bin/TFmail.pl > line 116. > > > Has anyone come up with a more graceful way to handle this problem? I > suppose I could configure Apache to diallow any method but post on the > script, but that just replaces one error message for another. To be honest there is one school of thought that suggests that we are being too nice as it is - that the program should simply give the appropriate status code for "Request method not allowed" and let the server decide what to do. However I have considered that it might be useful to actually be able to specify a template that can be used for a GET request - this could simply be the form itself or something else. The problem with these things is that it seems that none of the developers have much time for anything other than urgent bug-fixes at the moment - I have copied the developers list in case there is anyone with spare time. /J\ |
|
From: SourceForge.net <no...@so...> - 2004-08-04 15:13:31
|
Support Requests item #1003344, was opened at 2004-08-04 15:13 Message generated for change (Tracker Item Submitted) made by Item Submitter You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=425770&aid=1003344&group_id=39625 Category: Install Problem (example) Group: v1.0 (example) Status: Open Resolution: None Priority: 5 Submitted By: Josh Berry (joshberry) Assigned to: Nobody/Anonymous (nobody) Summary: Permission Denied Problem Initial Comment: Hi, I am trying to get TFMail working but no matter what I do I get the error: Forbidden You don't have permission to access /tickets/cgi-bin/TFmail.pl on this server. Now, I have checked my permissions and they look correct: training@cgi02 cgi-bin $ ls -al | grep TFmail total 188 -rwxrwxrwx 1 training cgishell 20461 Aug 4 15:46 TFmail.pl -rwxrwxrwx 1 training cgishell 15029 Nov 17 2002 TFmail_config.pl training@cgi02 cgi-bin $ pwd /xxxxx/xxxxx/training/tickets/cgi-bin And I am in the correct directory but each time I get permission denied. Has anyone else had a similar problem? I have asked the system administrator and they have confirmed that this should work. TIA Josh ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=425770&aid=1003344&group_id=39625 |
|
From: Neil W. <li...@co...> - 2004-07-23 21:32:27
|
On Friday 23 July 2004 11:31, Jonathan Stowe wrote: > It would be great if you could, ideally as a patch against the latest > versions from the CVS if possible but otherwise however is easiest to > do. Alternatively if you want to contribute your code=20 > and you have a sourceforge ID we can add you as a developer and you can > stick the stuff into the CVS yourself! Done. I've made an extra config setting for extra_strict - this was because= my=20 settings are a little draconian for some forum sites and although useful, i= t=20 may be too much for some. I've also reversed the sort on by_num so that the= =20 most recent messages are at the top. By staying vigilant with your forum,=20 by_num makes it easy to spot messages that try and hide by being follow-ups= =20 to old messages way down the normal remove list. @bannedwords is not part of the $extra_strict config and does have a few wo= rds=20 preset. It's at the bottom of the config section. This is active by default= =20 with my update. Other minor changes to improve W3C validity of the output of wwwadmin (can'= t=20 do much with wwwboard, the <ul> handling is a problem) and to increase the= =20 accessibility of the admin output - it's not good to have radio buttons wit= h=20 no OFF switch - by default some browsers check the first radio button or=20 refuse to submit the form if some radio buttons in the group are not checke= d.=20 So I've added a None column. There are changes to wwwadmin and wwwboard perl scripts, as well as the two= =20 README files. The output is as www.codehelp.co.uk but I have changed the name of the=20 wwwadmin script. > It is also helpful if you have any changes to the README for any=20 > new configuration. =20 I've updated the README with details of extra_strict and the ADMIN_README t= o=20 enhance the description of the remove_by_num section - this underrated=20 function is the principle weapon in the move against spurious messages, as= =20 explained in the updated text.=20 =2D-=20 Neil Williams =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D http://www.codehelp.co.uk/ http://www.dclug.org.uk/ http://www.isbn.org.uk/ http://sourceforge.net/projects/isbnsearch/ http://www.biglumber.com/x/web?qs=3D0x8801094A28BCB3E3 |
|
From: Alex P. <ale...@zw...> - 2004-07-23 15:03:58
|
Hi, I just want to share a fix I made to the original Matt-made FormMail
after a spam attack.
I recoded the script to contain a list of aliases and real addresses I
allow sending to:
%nickname = (
'JoanM'=>'Joa...@do...' ,
'purchasing'=>'Ja...@do...'
) ;
And added some code to convert aliases back when a form is submitted:
## nickname security fix - AP
my @to_split = split(/:/,$Config{'recipient'}) ;
foreach (@to_split) {
## collect addresses by nickname
push (@to_collected,$nickname{$_}) if ($nickname{$_}) ;
}
$Config{'recipient'} = join(',',@to_collected) ;
I used colon as the separator, but comma would also work. The secutiry
comes from the fact that no spammer submitted address will ever match
an alias. I aslo ended up renaming FormMail to NickMail as spammers
look for that in the HTML on sites to try and find vulnerable servers.
What also helpsis that when you run a site where five forms point at
'purchasing' and a new staffer takes over you just edit one alias
definition.
I run a one purpose web server, but it would be possible to extend this
to use an alias list in a user's home directory for ISPs providing
hosting and a standard collection of scripts.
I can't speak to a similar fix for the web board.
Hope that's helpful to someone,
Alex
Jonathan Stowe <jn...@ge...> wrote:
>
> We've been seeing quite a number of reports on the support list of
> people seeing high volumes of attempted spam exploits against FormMail
> recently and from some of the reports it appears that the spammers may
> be using open proxies. Now it occurs to me that it would be relatively
> simple to implement a check on the http client via one of the DNSBLs
> that list open proxies such as xml.spamhaus.org
> (http://www.spamhaus.org/xbl/index.lasso) an example of Perl code that
> does this kind of check can be seen at:
>
> http://www.unicom.com/sw/blq/
>
> as you can see all of this can be achieved using core modules.
>
> We could add this as an optional safeguard to all of the programs that
> are prone to being targetted by spammers and the like, I would see it as
> probably refusing to accept the request without giving a reason (or
> would it be better to pretend to accept the request and just take no
> further action?)
>
> Anyway does anyone have any feelings about this? Are there any drawbacks
> to implementing a check like this?
>
> /J\
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by BEA Weblogic Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today.
> http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
> _______________________________________________
> Nms-cgi-devel mailing list
> Nms...@li...
> https://lists.sourceforge.net/lists/listinfo/nms-cgi-devel
>
|
|
From: Jonathan S. <jn...@ge...> - 2004-07-23 13:43:46
|
We've been seeing quite a number of reports on the support list of people seeing high volumes of attempted spam exploits against FormMail recently and from some of the reports it appears that the spammers may be using open proxies. Now it occurs to me that it would be relatively simple to implement a check on the http client via one of the DNSBLs that list open proxies such as xml.spamhaus.org (http://www.spamhaus.org/xbl/index.lasso) an example of Perl code that does this kind of check can be seen at: http://www.unicom.com/sw/blq/ as you can see all of this can be achieved using core modules. We could add this as an optional safeguard to all of the programs that are prone to being targetted by spammers and the like, I would see it as probably refusing to accept the request without giving a reason (or would it be better to pretend to accept the request and just take no further action?) Anyway does anyone have any feelings about this? Are there any drawbacks to implementing a check like this? /J\ |
|
From: Jonathan S. <jn...@ge...> - 2004-07-23 10:32:12
|
On Fri, 2004-07-23 at 10:12, Neil Williams wrote: > I can send you my wwwboard and wwwadmin but unfortunately, I won't be able to > do much else for a while, I've got too much else on. It would be great if you could, ideally as a patch against the latest versions from the CVS if possible but otherwise however is easiest to do. It is also helpful if you have any changes to the README for any new configuration. Alternatively if you want to contribute your code and you have a sourceforge ID we can add you as a developer and you can stick the stuff into the CVS yourself! Thanks! /J\ |
|
From: SourceForge.net <no...@so...> - 2004-07-14 10:28:14
|
Feature Requests item #614000, was opened at 2002-09-24 19:24 Message generated for change (Comment added) made by gellyfish You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=425772&aid=614000&group_id=39625 Category: None Group: None >Status: Closed Priority: 5 Submitted By: Lochmatter Thomas (lochmatter) Assigned to: Nobody/Anonymous (nobody) Summary: Better referer check in formmail Initial Comment: For a "secure" referer check, the formmail script should download the original html file with the form and compare some of the submitted information, namely the receiver email address. As it is widely known, the referer can be easily changed by a hacker and a simple referer check only makes it a bit more difficult to misuse the formmail script, but still possible. Could you implement this check in your script? - Thomas Lochmatter ---------------------------------------------------------------------- >Comment By: Jonathan Stowe (gellyfish) Date: 2004-07-14 10:28 Message: Logged In: YES user_id=313586 We don't believe the referer check is a particularly strong security measure in the first place and its usefullness is being eroded by the use of personal firewalls that commonly block the Referer information. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=425772&aid=614000&group_id=39625 |
|
From: SourceForge.net <no...@so...> - 2004-07-14 10:25:59
|
Feature Requests item #969225, was opened at 2004-06-08 21:24 Message generated for change (Comment added) made by gellyfish You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=425772&aid=969225&group_id=39625 Category: None Group: None >Status: Closed Priority: 5 Submitted By: Joseph Sheehan (jrsheehan) Assigned to: Nobody/Anonymous (nobody) Summary: Image Gallery Initial Comment: I'd like to use a very secure image gallery for my website. After reading about all of the insecurities with all of the other sites, I'm less trusting about the security of the one I am currently using (My Photo Gallery). I don't believe it would be too difficult, although I haven't started trying it yet. Has anyone else on this list considered this? If so, has any work been done on it? ---------------------------------------------------------------------- >Comment By: Jonathan Stowe (gellyfish) Date: 2004-07-14 10:25 Message: Logged In: YES user_id=313586 We do have a gallery program in the CVS but no-one has really taken up the ball with it yet so little work has been done to bring it to a full release - this largely because we don't have any standard set of requirements for an image gallery type program. Of course if you want to contribute .... ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=425772&aid=969225&group_id=39625 |
|
From: SourceForge.net <no...@so...> - 2004-07-14 10:23:28
|
Feature Requests item #974347, was opened at 2004-06-17 00:04 Message generated for change (Comment added) made by gellyfish You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=425772&aid=974347&group_id=39625 Category: None Group: None >Status: Closed Priority: 5 Submitted By: Nobody/Anonymous (nobody) Assigned to: Nobody/Anonymous (nobody) Summary: Support for GPG encryption Initial Comment: One thing missing is support for encrypting the body of the email. This feature is available in Matt's formmail (http://www.mattsscripts.co.uk/mattfm.htm), but I prefer the security and features of NMS. ---------------------------------------------------------------------- >Comment By: Jonathan Stowe (gellyfish) Date: 2004-07-14 10:23 Message: Logged In: YES user_id=313586 Thanks for this. We have been asked about providing the ability to encrypt the mail messages before. The problem we have is that the ability to use gpg/pgp relies on the user having access to the shell on the machine their web site is on which I would guess is a very small minority of people with web sites. Ideally we would be able to implement implement some sort of encryption that did not require any external dependencies - but no-one has come forward to take up the challenge of implementing it. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=425772&aid=974347&group_id=39625 |
|
From: Jonathan S. <jn...@ge...> - 2004-07-14 09:45:03
|
On Tue, 2004-07-13 at 12:11, Kevin Lloyd wrote: > Is there any possible way to, in addition to sending all the regular > fields from our form to an email address, send just 1 field to say...a > pager email address? We don't want to get the whole long list of field > entries in the pagers as they charge by characters. > Unfortunately no, not within the same configuration of the program as it stands, however I can see that the ability to have a recipient to template map in NMS TFmail might be quite a useful feature - I have CCd this to the developers list to see if there is anyone who has time to take up the challenge. Of course this doesn't solve your immediate problem. A work around if you are using the NMS TFmail would be to have your confirmation page as a second form with all the details in hidden fields and with a different config file that specifies a mail template for sending to the pager. So you have a first configuration that specifies the normal address and when the user clicks submit the mail is sent to that and then they are taken to to the confirmation page and when they click submit on that page the mail is sent (using a different template) to the pager address. Hope that makes sense. /J\ |
|
From: SourceForge.net <no...@so...> - 2004-06-17 00:04:21
|
Feature Requests item #974347, was opened at 2004-06-16 17:04 Message generated for change (Tracker Item Submitted) made by Item Submitter You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=425772&aid=974347&group_id=39625 Category: None Group: None Status: Open Priority: 5 Submitted By: Nobody/Anonymous (nobody) Assigned to: Nobody/Anonymous (nobody) Summary: Support for GPG encryption Initial Comment: One thing missing is support for encrypting the body of the email. This feature is available in Matt's formmail (http://www.mattsscripts.co.uk/mattfm.htm), but I prefer the security and features of NMS. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=425772&aid=974347&group_id=39625 |
|
From: Dave C. <da...@da...> - 2004-06-10 16:45:43
|
On Wed, Jun 09, 2004 at 02:05:13PM -0500, Joseph R. Sheehan wrote: > I'm wondering if anyone on this list has pondered creating a highly > secure image gallery (similar to Gallery, but in Perl). There are alot > of image galleries written in perl (Eight, My Photo Gallery, etc). > However, I'm unfamiliar with them with respect to security. > > I know that an image gallery was never part of Matt's Script archive, > but I'm wondering if creating one has ever been considered. I'm > hacking around the one I'm using now, but I'm not an expert on CGI > security. There is an early version of a gallery script in our CVS repository, but as I didn't write it, I don't know how close it is to being release-ready. We are all volunteers, so adding new programs is dependent on one of us having some spare time. Dave... -- Stab a sorry heart With your favourite finger |
|
From: Joseph R. S. <jr...@ex...> - 2004-06-09 19:06:34
|
I'm wondering if anyone on this list has pondered creating a highly secure image gallery (similar to Gallery, but in Perl). There are alot of image galleries written in perl (Eight, My Photo Gallery, etc). However, I'm unfamiliar with them with respect to security. I know that an image gallery was never part of Matt's Script archive, but I'm wondering if creating one has ever been considered. I'm hacking around the one I'm using now, but I'm not an expert on CGI security. Thanks Joe Joseph Sheehan Systems Science and Mathematics Washington University in St Louis jr...@ce... |
|
From: SourceForge.net <no...@so...> - 2004-06-08 21:25:00
|
Feature Requests item #969225, was opened at 2004-06-08 16:24 Message generated for change (Tracker Item Submitted) made by Item Submitter You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=425772&aid=969225&group_id=39625 Category: None Group: None Status: Open Priority: 5 Submitted By: Joseph Sheehan (jrsheehan) Assigned to: Nobody/Anonymous (nobody) Summary: Image Gallery Initial Comment: I'd like to use a very secure image gallery for my website. After reading about all of the insecurities with all of the other sites, I'm less trusting about the security of the one I am currently using (My Photo Gallery). I don't believe it would be too difficult, although I haven't started trying it yet. Has anyone else on this list considered this? If so, has any work been done on it? ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=425772&aid=969225&group_id=39625 |
|
From: Dave C. <da...@da...> - 2004-05-30 17:39:54
|
Those of you on the cvs commit mailing list or who have visited the site in the last half hour will have seen that I've done a bit of work on the web pages this afternoon. My main priority was to make the front page look a little less imposing and make it easier to find stuff on the site. I've done that by making the front page a lot simpler and breaking a lot of stuff out into smaller separate pages. I've also changed the site so it's now all generated from a series of Template Toolkit templates. My next plan is to do some work on the page that lists the page so that all of the README files are readable from the web. One particular page that I put a lot of work into was the support page at http://nms-cgi.sourceforge.net/support.html. I've tried to reword it to make it easier for people to find the answers to their questions without bothering the support list. If you can suggest any improvements, then now would be a good time to speak up. Any other suggestions for improvements or things that I've broken in older browsers would also be appreciated. Cheers, Dave... -- We are far too young and clever |
|
From: Jonathan S. <gel...@ge...> - 2004-05-10 16:45:15
|
On Mon, 2004-05-10 at 14:12, Giovanni Antico wrote: > I've used: NMS FormMail Version 3.12c1 > should I try with 3.12m1? > I'm afraid 3.12c1 ( and m1 which is just the non-inlined version of c1) display this, er, bug, which appears to have manifested itself in the first release of the modularised version of FormMail. Unless anyone can think of a good reason for it to be missing I will see to putting it back this week at some point. > Thank you very much for your support. > > PS > If you try on www.alt123.com the form on the left at the middle of the page, you can see that it keeps giving me back the html pop-up even if "$no_content= 1"; > > Giovanni Antico > g.a...@al... > www.alt123.com > tel (+39) 347.8111904 > > > ----- Original Message ----- > From: "Jonathan Stowe" <jn...@ge...> > To: "Giovanni Antico" <g.a...@al...> > Cc: "NMS-CGI-Support" <nms...@li...> > Sent: Monday, May 10, 2004 2:37 PM > Subject: Re: [Nms-cgi-support] no_content > > > > On Sat, 2004-05-08 at 16:42, Giovanni Antico wrote: > > > I've set no_content = 1, but it keeps returning the HTML confirmation > > > even if no redirect is setted. Did I something wrong or is this a bug? > > > thank you > > > > What version of FormMail do you have? It appears that there may be a > > bug in some versions that stop this from working. > > > > > > > > $DEBUGGING = 0; > > > $emulate_matts_code= 0; > > > $secure = 1; > > > $allow_empty_ref = 1; > > > $max_recipients = 5; > > > $mailprog = '/usr/lib/sendmail -oi -t'; > > > $postmaster = 'in...@al...'; > > > @referers = ('www.alt123.com', '64.207.153.22'); > > > @allow_mail_to = ('in...@al...', 'giv...@al...', > > > 'localhost'); > > > @recipients = (); > > > %recipient_alias = (); > > > @valid_ENV = qw(REMOTE_HOST REMOTE_ADDR REMOTE_USER > > > HTTP_USER_AGENT); > > > $locale = 'it_IT'; > > > $charset = 'iso-8859-1'; > > > $date_fmt = '%A, %B %d, %Y at %H:%M:%S'; > > > $style = '/css/nms.css'; > > > $no_content = 1; > > > $double_spacing = 1; > > > $wrap_text = 0; > > > $wrap_style = 1; > > > $send_confirmation_mail = 0; > > > $confirmation_text = <<'END_OF_CONFIRMATION'; > > > > > > > > > > > > Giovanni Antico > > > g.a...@al... > > > www.alt123.com > > > tel { 347.8111904 } > > > > ------------------------------------------------------- > This SF.Net email is sponsored by Sleepycat Software > Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver > higher performing products faster, at low TCO. > http://www.sleepycat.com/telcomwpreg.php?From_______________________________________________ > IMPORTANT NOTE: > > Please use mail software's "Reply-All" or "Reply Group" feature > when replying to this mail. > Just using "Reply" _won't_ send the mail to the mailing list. |
|
From: Jonathan S. <gel...@ge...> - 2004-05-10 10:07:46
|
On Sat, 2004-05-08 at 12:03, Elizabeth Williams wrote: > Hello all, > > I have created a script based on wwwadmin which allows you to delete or > hide messages which have been submitted to the guestbook. I haven't yet > got it fully working live yet as my cgi-access isn't set up yet, though > it works on my own computer. You can view the new guestbook_admin.pl > script and the changes I needed to make to the guestbook.pl script at > http://www-users.york.ac.uk/~ew9. I'll let you know when I have set it > up on an independent website. Any comments would be greatfully > received. And whoever wrote wwwadmin.pl did a nice job i hope you don't > mind me borrowing bits from it. > That is really very strange - someone else sent us something like this on Friday - if anyone has the time we should review the differences and release the best of both. Thanks for this. /J\ |
|
From: Elizabeth W. <ew...@yo...> - 2004-05-08 11:03:15
|
Hello all, I have created a script based on wwwadmin which allows you to delete or hide messages which have been submitted to the guestbook. I haven't yet got it fully working live yet as my cgi-access isn't set up yet, though it works on my own computer. You can view the new guestbook_admin.pl script and the changes I needed to make to the guestbook.pl script at http://www-users.york.ac.uk/~ew9. I'll let you know when I have set it up on an independent website. Any comments would be greatfully received. And whoever wrote wwwadmin.pl did a nice job i hope you don't mind me borrowing bits from it. Elizabeth Williams. |
|
From: Nick C. <ni...@cl...> - 2004-05-07 09:14:59
|
On Fri, May 07, 2004 at 02:45:42AM +0100, Richard Rose wrote: > Hello again, all. > > Admission of guilt - I missed tainting test, on the logout action in my > guestbook-admin script. A new guestbook-admin script is attached and > uploaded to the same place as the last one. > > The MD5 of the new guestbook-admin.pl is: > MD5 (guestbook-admin.pl) = dd746ef69312c745c778048508a7904e > > It would also appear that I am on the mailing list, should people want > to contact me. Nice work. A couple of points though: There's no check for the validity of 'cookie' apart from where you go to unlink it, so (I think) a cookie value of '../../../../../../etc/passwd' would let you in, since the file exists. What if someone adds a post to the guestbook while the administrator is viewing it, and then the administrator deletes a post ? It seems to me that the wrong post could be deleted. Nick |
|
From: Jonathan S. <gel...@ge...> - 2004-05-07 09:02:54
|
On Fri, 2004-05-07 at 02:06, Richard Rose wrote: > Hello all, > > I have written an admin script for guestbook.pl. It requires a small > patch to guestbook.pl (attached, but also here[0]), to mark the > beginning and end of comments. > > It provides an a login interface for the user, by password, and an admin > view of the guestbook. From here, the administrator can hide and unhide > comments, and delete comments, and logout. > > The code is compatible with the rest of the code from nms-cgi (will work > with perl 5.004, no external modules required, uses -wT and use strict), > and should introduce no security holes, though I would encourage a > review beforehand, in case there is anything I have missed. > > The code is attached, but can also be found here[1]. > > Questions, comments, and so forth should be mailed directly to me, as I > am not on the list. > > > The code is hereby donated to the NMS-CGI project, for distribution > under whichever licence they see fit, and for maintainance by > themselves. > Thanks for this. I have applied the patch to guestbook.pl and have checked into CVS along with the guestbook-admin.pl - they will both need to be tested before we make a release if anyone has any time. One small change that I will make to the admin program will be to remove the default password and make the program refuse to accept an empty password in order that the user is forced to make one up. I don't suppose there is any chance that you could come up with a README.admin for the guestbook-admin.pl? Anyway thanks again. /J\ |
14 messages has been excluded from this view by a project administrator.
