[geeklog-modules] Sendmail hack demonstratable
Tony Bibbs
tony at tonybibbs.com
Tue Feb 11 22:40:16 EST 2003
Hi Wayne,
Well, I have a *start* on this. See here:
http://cvs.geeklog.net/chora/cvs.php/email_connector
Download here:
http://www.tonybibbs.com/filemgmt/visit.php?lid=4
More comments below...
Wayne Johns wrote:
> On Wednesday 12 Feb 2003 12:26 am +8, you wrote:
>
> Hi Tony
>
> See http://www.cebulists.com/ http://www.bayanihan.org/ for how we post,
> this is one of a number of GL sites we are developing. We want to
> develop http://news.balita.ph to take 100 stories a day - there are some
> which we have posted by hand. Apologies these have not been updated in a
> month we have moved to a new dedicated server and had many
> Apache 2/PHP/GL compatibility problems some of which are not resolved
> yet.
>
> Basically our needs would be to send something to say:
>
> business at balita.ph
> metro at balita.ph
>
> and sendmail would process the the input into the respective topic.
>
> These are the current feeds into a forum suite (see
> www.balita.org/cgi-bin/gforum.cgi)
>
> /var/www/htdocs/balita.org/cgi-bin/admin/Plugins/GForum/archive.pl
> --forum=1
> /var/www/htdocs/balita.org/cgi-bin/admin/Plugins/GForum/archive.pl
> --forum=2
>
> So a similar alias entry would 'force' it into the appropriate topics.
>
> There would be no approval required as those submitting would be approved
> posters. Would require some sort of security
>
> A way to split the story to the nearest paragraph end if based on size
> criteria.
If you look at my submitstory command (both client and server) you
should see how easy it is to modify it. Also, I have this set-up so you
only chew up one email address, not one per topic.
>
> Reading your method
>
>>command: submitstory
>>username: <geeklog.net username>
>>title: <story title>
>>topic: <topic id>
>>mode: <html or plaintext>
>>story: <text for the story>
>
>
>>This *should* save a new story to the submission queue.
>
>
> Looks a little generic and will allow for various differing aspects in
> GL.
>
> Command: For security maybe should be user definable ? Or have admin
> commands as well -- this is why I say username password.
I think security will be loose at best but when I do implement here is
what I am thinking.
1) you must send email message from a registered email account. If not
the command will be rejected. This is easily spoofed but it is a start
since you can't get the email addresses for GL users.
2) you must provide GL username and GL password
3) Throttles to preven DoS attacks
> Title: Could this just be taken from the subject
If you use one email address for all commands the subject shouldn't be used.
> Topic: Wouldn't this be better just taken from the address and Sendmail
> alias.
Could. Again managing multiple aliases is a pain. Instead the command
"help <submitstory>" should return a list of available topics for you
>
> I presume the command, username, mode and story would appear in the email
> body with the first three being on the first three lines.
Yes.
>
> Username: This would need to be <domain> username password (password
> eventually) to stop idiot postings. Although is these are going in as
> submissions it wouldn't present too much of a problem, other than sites
> that allow unmoderated posts.
I already addressed security above.
>
> By using username password it would allow those with the appropriate
> permissions to have material posted direct.
>
> Mode and story no suggestion.
>
> Sadly I am not a PHP programmer have been trying with a colleague in
> Perl. I did post the email to GL question last year and I think you
> responded.
Yep, and I was really surprised how easy this is. I think the PHP code
I have is easy to follow. If you need this in a bad way and can't
afford the time to modify the code yourself let's talk off-line about
options.
>
> I will mention one of the GL team (prefer not to name) did respond
> offering to write this for me for $1000 provided I allowed its release
> into the public domain - I declined as Balita is a non-profit group and
> couldn't afford that sort of price.
Yeah, that price is ridiculous. I have 80% of the core code done already.
>
> Regards
>
> Wayne
More information about the geeklog-modules
mailing list