[geeklog-modules] Sendmail hack demonstratable

Tony Bibbs tony at tonybibbs.com
Tue Feb 11 22:40:16 EST 2003 

Hi Wayne,

Well, I have a *start* on this.  See here:

http://cvs.geeklog.net/chora/cvs.php/email_connector

Download here:

http://www.tonybibbs.com/filemgmt/visit.php?lid=4

More comments below...

Wayne Johns wrote:
> On Wednesday 12 Feb 2003 12:26 am +8, you wrote:
> 
> Hi Tony
> 
> See http://www.cebulists.com/ http://www.bayanihan.org/  for how we post, 
> this is one of a number of GL sites we are developing. We want to 
> develop http://news.balita.ph to take 100 stories a day - there are some 
> which we have posted by hand. Apologies these have not been updated in a 
> month we have moved to a new dedicated server and had many 
> Apache 2/PHP/GL compatibility problems some of which are not resolved 
> yet.
> 
> Basically our needs would be to send something to say:
> 
> 	business at balita.ph
> 	metro at balita.ph 
> 
> and sendmail would process the the input into the respective topic.
> 
> These are the current feeds into a forum suite (see 
> www.balita.org/cgi-bin/gforum.cgi)
> 
> /var/www/htdocs/balita.org/cgi-bin/admin/Plugins/GForum/archive.pl 
> --forum=1
> /var/www/htdocs/balita.org/cgi-bin/admin/Plugins/GForum/archive.pl 
> --forum=2
> 
> So a similar alias entry would 'force' it into the appropriate topics.
> 
> There would be no approval required as those submitting would be approved 
> posters. Would require some sort of security
> 
> A way to split the story to the nearest paragraph end if based on size 
> criteria.

If you look at my submitstory command (both client and server) you 
should see how easy it is to modify it.  Also, I have this set-up so you 
only chew up one email address, not one per topic.

> 
> Reading your method
>
>>command: submitstory
>>username: <geeklog.net username>
>>title: <story title>
>>topic: <topic id>
>>mode: <html or plaintext>
>>story: <text for the story>
> 
> 
>>This *should* save a new story to the submission queue.
> 
> 
> Looks a little generic and will allow for various differing aspects in 
> GL.
> 
> Command: For security maybe should be user definable ? Or have admin 
> commands as well -- this is why I say username password.

I think security will be loose at best but when I do implement here is 
what I am thinking.
1) you must send email message from a registered email account. If not 
the command will be rejected.  This is easily spoofed but it is a start 
since you can't get the email addresses for GL users.
2) you must provide GL username and GL password
3) Throttles to preven DoS attacks

> Title: Could this just be taken from the subject
If you use one email address for all commands the subject shouldn't be used.

> Topic: Wouldn't this be better just taken from the address and Sendmail 
> alias.

Could. Again managing multiple aliases is a pain.  Instead the command 
"help <submitstory>" should return a list of available topics for you

> 
> I presume the command, username, mode and story would appear in the email 
> body with the first three being on the first three lines.

Yes.

> 
> Username: This would need to be <domain> username password (password 
> eventually) to stop idiot postings. Although is these are going in as 
> submissions it wouldn't present too much of a problem, other than sites 
> that allow unmoderated posts.

I already addressed security above.

> 
> By using username password it would allow those with the appropriate 
> permissions to have material posted direct.
> 
> Mode and story no suggestion.
> 
> Sadly I am not a PHP programmer have been trying with a colleague in 
> Perl. I did post the email to GL question last year and I think you 
> responded.

Yep, and I was really surprised how easy this is.  I think the PHP code 
I have is easy to follow.  If you need this in a bad way and can't 
afford the time to modify the code yourself let's talk off-line about 
options.

> 
> I will mention one of the GL team (prefer not to name) did respond 
> offering to write this for me for $1000 provided I allowed its release 
> into the public domain - I declined as Balita is a non-profit group and 
> couldn't afford that sort of price.

Yeah, that price is ridiculous.  I have 80% of the core code done already.

> 
> Regards
> 
> Wayne

More information about the geeklog-modules mailing list