Web interface for clients

RT Users
1

Hi,

Is it possible to integrate RT to an existing web form where clients can
select which issues they want to report besides using the e-mail? Here’s the
scenario:

Web form → client selects issue, describes problem, enters e-mail & other
contact information → client clicks submit report → server accepts
request, checks for required fields → sends e-mail to RT → RT responds to
client by sending back the trouble ticket

francis a. vidal [bitstop network services] | http://www.dagupan.com
streaming media + web hosting | http://www.keystone.ph
v(02)330-2871,(02)330-2872; f(02)330-2873 | http://www.kuro.ph

2

Hi,

Is it possible to integrate RT to an existing web form where clients can
select which issues they want to report besides using the e-mail? Here’s the
scenario:

Web form → client selects issue, describes problem, enters e-mail & other
contact information → client clicks submit report → server accepts
request, checks for required fields → sends e-mail to RT → RT responds to
client by sending back the trouble ticket

You should be able to do this with a simple web form, and something like
the formmail.pl script from Matt’s Script Archive.
http://worldwidemart.com/scripts/formmail.shtml

Tom Holub (tom_holub@LS.Berkeley.EDU, 510-642-9069)
College of Letters & Science
249 Campbell Hall

3

Please bear with me if I seem overly ranty on this point:

DO NOT INSTALL formmail.pl ESPECIALLY ON A SYSTEM EXPOSED TO THE PUBLIC
INTERNET - IT’S A MONSTROUSLY HUGE SECURITY RISK.

See http://www.monkeys.com/anti-spam/formmail-advisory.ps for the security
advisory; if you’re running formmail.pl in any capacity, please replace it
with the more secure version at ftp://ftp.monkeys.com/pub/formmail/1.9s/ or
disable it as soon as possible.

Apologies for shouting but there is at least one anti-spam DNSBL devoted to
blacklisting sites running formmail.pl. I reviewed the formmail.pl code a few
years ago and found a number of very serious flaws; sadly, it hasn’t changed
since then. Basically formmail.pl turns your mailserver into an open relay
which is then trivially exploited by spammers. I’ve received spam via
formmail.pl scripts; this is not a theoretical problem.

Regardless of firewalling and other security measures you may have in place,
it’s a very bad idea to install known unsecure scripts like formmail.pl,
especially when there are plenty of secure alternatives available. You are
better off coding your own special-purpose web-to-mail CGI script, taking
care to hard-code or programmatically generate recipient addresses.

Please don’t take this as a personal attack. Formmail is a unfortunately very
popular and many people don’t know its lineage - they find out the hard way.
I bear a particular grudge against formmail because it’s so obviously broken,
it has been for a long time, and the author either doesn’t have the talent or
time to fix the code or the common sense to stop distributing it. IMHO,
Matt’s Script Archive gives a black eye to every responsible open-source
developer out there and I feel sorry for everyone who has installed formmail
in good faith, mistakenly believing that the author took reasonable security
precautions when designing the code.

– Bob

References:
CVE - Search Results Wednesday 27 February 2002 16:32, you wrote:

On Tue, Feb 26, 2002 at 05:04:08PM +0800, francisv@dagupan.com wrote:

Hi,

Is it possible to integrate RT to an existing web form where clients can
select which issues they want to report besides using the e-mail? Here’s
the scenario:

Web form → client selects issue, describes problem, enters e-mail &
other contact information → client clicks submit report → server
accepts request, checks for required fields → sends e-mail to RT → RT
responds to client by sending back the trouble ticket

You should be able to do this with a simple web form, and something like
the formmail.pl script from Matt’s Script Archive.
http://worldwidemart.com/scripts/formmail.shtml

4

I would recommend that you avoid using the script mentioned below.

I took a look at the script and I didn’t see anything I knew how to exploit,
but I saw some things that make me suspicious:

  1. Taint checking is not enabled. You should always enable taint checking
    for CGIs.
  2. The strict pragma is not used. Generally speaking, abiding by the
    restrictions strict mode enforces, makes for better, more robust code.
    Unless you are Damian Conway, use strict.
  3. This script parses CGI arguments itself, instead of using CGI.pm. CGI.pm
    is part of the standard distribution, and is well tested. Parsing CGI input
    is not as trivial as it seems.
  4. Warnings aren’t enabled. While running with warnings enabled does have a
    slight speed impact, if you’re running this code, you’re not Yahoo!. If the
    code can’t run without generating warnings, you should fix it.

If you want to know more about these issues, visit http://perlmonks.org/ and
search for ‘use strict’ ‘use CGI’.

Several people here have stated their opinions of MSA:
http://perlmonks.org/index.pl?lastnode_id=3989&node_id=27967
http://perlmonks.org/index.pl?lastnode_id=104167&node_id=104159

And this thread mentions the form mailer by name:
http://perlmonks.org/index.pl?lastnode_id=93757&node_id=93731

And finally a thread all about form mailer:
http://perlmonks.org/index.pl?lastnode_id=3989&node_id=102758

Also read perlsec.
http://www.perldoc.com/perl5.6.1/pod/perlsec.html

Let’s be careful out there.
–MarkFrom: Tom Holub [mailto:tom@LS.Berkeley.EDU]
Sent: Wednesday, February 27, 2002 2:32 PM
To: francisv@dagupan.com
Cc: rt-users@lists.fsck.com
Subject: Re: [rt-users] Web interface for clients

Hi,

Is it possible to integrate RT to an existing web form where clients can
select which issues they want to report besides using the e-mail? Here’s
the
scenario:

Web form → client selects issue, describes problem, enters e-mail & other
contact information → client clicks submit report → server accepts
request, checks for required fields → sends e-mail to RT → RT responds
to
client by sending back the trouble ticket

You should be able to do this with a simple web form, and something like
the formmail.pl script from Matt’s Script Archive.
http://worldwidemart.com/scripts/formmail.shtml

Tom Holub (tom_holub@LS.Berkeley.EDU, 510-642-9069)
College of Letters & Science
249 Campbell Hall

rt-users mailing list
rt-users@lists.fsck.com
http://lists.fsck.com/mailman/listinfo/rt-users

5

Yesterday Bob Apthorpe wrote:

Please bear with me if I seem overly ranty on this point:

You seemed quite constrained to me!

DO NOT INSTALL formmail.pl ESPECIALLY ON A SYSTEM EXPOSED TO THE
PUBLIC INTERNET - IT’S A MONSTROUSLY HUGE SECURITY RISK.

See http://www.monkeys.com/anti-spam/formmail-advisory.ps for the
security advisory; if you’re running formmail.pl in any capacity,
please replace it with the more secure version at
ftp://ftp.monkeys.com/pub/formmail/1.9s/ or disable it as soon as
possible.

For those who don’t know, there’s also the NMS project which provides
drop-in replacements for Matt’s Script Archive scripts but without the
security problems. They have a formmail replacement available:

http://nms-cgi.sourceforge.net/

(Unfortunately they also have a very long homepage, with the table of
available scripts about halfway down it, and no anchors for direct
linking!)

Smylers