[geeklog-modules] Sendmail hack demonstratable
tony at tonybibbs.com
Tue Feb 11 22:40:16 EST 2003
Well, I have a *start* on this. See here:
More comments below...
Wayne Johns wrote:
> On Wednesday 12 Feb 2003 12:26 am +8, you wrote:
> Hi Tony
> See http://www.cebulists.com/ http://www.bayanihan.org/ for how we post,
> this is one of a number of GL sites we are developing. We want to
> develop http://news.balita.ph to take 100 stories a day - there are some
> which we have posted by hand. Apologies these have not been updated in a
> month we have moved to a new dedicated server and had many
> Apache 2/PHP/GL compatibility problems some of which are not resolved
> Basically our needs would be to send something to say:
> business at balita.ph
> metro at balita.ph
> and sendmail would process the the input into the respective topic.
> These are the current feeds into a forum suite (see
> So a similar alias entry would 'force' it into the appropriate topics.
> There would be no approval required as those submitting would be approved
> posters. Would require some sort of security
> A way to split the story to the nearest paragraph end if based on size
If you look at my submitstory command (both client and server) you
should see how easy it is to modify it. Also, I have this set-up so you
only chew up one email address, not one per topic.
> Reading your method
>>username: <geeklog.net username>
>>title: <story title>
>>topic: <topic id>
>>mode: <html or plaintext>
>>story: <text for the story>
>>This *should* save a new story to the submission queue.
> Looks a little generic and will allow for various differing aspects in
> Command: For security maybe should be user definable ? Or have admin
> commands as well -- this is why I say username password.
I think security will be loose at best but when I do implement here is
what I am thinking.
1) you must send email message from a registered email account. If not
the command will be rejected. This is easily spoofed but it is a start
since you can't get the email addresses for GL users.
2) you must provide GL username and GL password
3) Throttles to preven DoS attacks
> Title: Could this just be taken from the subject
If you use one email address for all commands the subject shouldn't be used.
> Topic: Wouldn't this be better just taken from the address and Sendmail
Could. Again managing multiple aliases is a pain. Instead the command
"help <submitstory>" should return a list of available topics for you
> I presume the command, username, mode and story would appear in the email
> body with the first three being on the first three lines.
> Username: This would need to be <domain> username password (password
> eventually) to stop idiot postings. Although is these are going in as
> submissions it wouldn't present too much of a problem, other than sites
> that allow unmoderated posts.
I already addressed security above.
> By using username password it would allow those with the appropriate
> permissions to have material posted direct.
> Mode and story no suggestion.
> Sadly I am not a PHP programmer have been trying with a colleague in
> Perl. I did post the email to GL question last year and I think you
Yep, and I was really surprised how easy this is. I think the PHP code
I have is easy to follow. If you need this in a bad way and can't
afford the time to modify the code yourself let's talk off-line about
> I will mention one of the GL team (prefer not to name) did respond
> offering to write this for me for $1000 provided I allowed its release
> into the public domain - I declined as Balita is a non-profit group and
> couldn't afford that sort of price.
Yeah, that price is ridiculous. I have 80% of the core code done already.
More information about the geeklog-modules