[geeklog-modules] Sendmail hack demonstratable

[Tony Bibbs]

Hi Wayne,

Well, I have a *start* on this.  See here:

http://cvs.geeklog.net/chora/cvs.php/email_connector

Download here:

http://www.tonybibbs.com/filemgmt/visit.php?lid=4

More comments below...

Wayne Johns wrote:

> On Wednesday 12 Feb 2003 12:26 am +8, you wrote:

> 

> Hi Tony

> 

> See http://www.cebulists.com/ http://www.bayanihan.org/  for how we post, 

> this is one of a number of GL sites we are developing. We want to 

> develop http://news.balita.ph to take 100 stories a day - there are some 

> which we have posted by hand. Apologies these have not been updated in a 

> month we have moved to a new dedicated server and had many 

> Apache 2/PHP/GL compatibility problems some of which are not resolved 

> yet.

> 

> Basically our needs would be to send something to say:

> 

> 	business at balita.ph

> 	metro at balita.ph 

> 

> and sendmail would process the the input into the respective topic.

> 

> These are the current feeds into a forum suite (see 

> www.balita.org/cgi-bin/gforum.cgi)

> 

> /var/www/htdocs/balita.org/cgi-bin/admin/Plugins/GForum/archive.pl 

> --forum=1

> /var/www/htdocs/balita.org/cgi-bin/admin/Plugins/GForum/archive.pl 

> --forum=2

> 

> So a similar alias entry would 'force' it into the appropriate topics.

> 

> There would be no approval required as those submitting would be approved 

> posters. Would require some sort of security

> 

> A way to split the story to the nearest paragraph end if based on size 

> criteria.


If you look at my submitstory command (both client and server) you 
should see how easy it is to modify it.  Also, I have this set-up so you 
only chew up one email address, not one per topic.


> 

> Reading your method

>

>>command: submitstory

>>username: <geeklog.net username>

>>title: <story title>

>>topic: <topic id>

>>mode: <html or plaintext>

>>story: <text for the story>

> 

> 

>>This *should* save a new story to the submission queue.

> 

> 

> Looks a little generic and will allow for various differing aspects in 

> GL.

> 

> Command: For security maybe should be user definable ? Or have admin 

> commands as well -- this is why I say username password.


I think security will be loose at best but when I do implement here is 
what I am thinking.
1) you must send email message from a registered email account. If not 
the command will be rejected.  This is easily spoofed but it is a start 
since you can't get the email addresses for GL users.
2) you must provide GL username and GL password
3) Throttles to preven DoS attacks


> Title: Could this just be taken from the subject

If you use one email address for all commands the subject shouldn't be used.


> Topic: Wouldn't this be better just taken from the address and Sendmail 

> alias.


Could. Again managing multiple aliases is a pain.  Instead the command 
"help <submitstory>" should return a list of available topics for you


> 

> I presume the command, username, mode and story would appear in the email 

> body with the first three being on the first three lines.


Yes.


> 

> Username: This would need to be <domain> username password (password 

> eventually) to stop idiot postings. Although is these are going in as 

> submissions it wouldn't present too much of a problem, other than sites 

> that allow unmoderated posts.


I already addressed security above.


> 

> By using username password it would allow those with the appropriate 

> permissions to have material posted direct.

> 

> Mode and story no suggestion.

> 

> Sadly I am not a PHP programmer have been trying with a colleague in 

> Perl. I did post the email to GL question last year and I think you 

> responded.


Yep, and I was really surprised how easy this is.  I think the PHP code 
I have is easy to follow.  If you need this in a bad way and can't 
afford the time to modify the code yourself let's talk off-line about 
options.


> 

> I will mention one of the GL team (prefer not to name) did respond 

> offering to write this for me for $1000 provided I allowed its release 

> into the public domain - I declined as Balita is a non-profit group and 

> couldn't afford that sort of price.


Yeah, that price is ridiculous.  I have 80% of the core code done already.


> 

> Regards

> 

> Wayne