LISTSERV - LSTSRV-L Archives - COMMUNITY.EMAILOGY.COM

LSTSRV-L Archives

LISTSERV Site Administrators' Forum

LSTSRV-L

	LISTSERV Archives
	LSTSRV-L Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Topic:	[<< First] [< Prev] [Next >] [Last >>]

Re: Simple Web Signup Form

KEVIN MCKENZIE <[log in to unmask]>

Thu, 26 Aug 1999 15:42:00 -0400

text/plain (72 lines)

Ok, set the HTML front-end of the CGI to ask for the list owners email
address, and also to ask for the password of the list.  Also you would ask
what they would want to do such as add, delete, set options, etc., and to
what users address and the listname.  Written in perl, this thing is easy!
Then pass the inputs to the CGI, where it takes the inputs, does a simple
sendmail inside the program to "look" like it comes from the owner in the
From: field(supplied from the HTML), and then takes the other inputs and
forms the body of the message to look like the JOB syntax commands.
Similiar to:

// JOB PW=$password
add $name_of_list $mailaddress $Fname $lname
// EOJ

Everything with '$' is a variable passed from the HTML.

If the password and email address of the owner match to what is on the
listserv server, then it works just fine, if they don't then nothing is
changed and it stays secure.  Matter of fact it sends the owner a message
telling them why it failed.  Now many people might think that this is
insecure cause it is an interface, but remember, if they know the owners
address and the list password, then they would do things on their own with
or without the interface.  This just makes an easy tool for user to input
things so that they don't have to remember any syntax.  I think it is
useful for people who have lists, but really could care less about the
inner-workings.  They just need to add and delete users on the fly, and
they like HTML input boxes.

Kevin McKenzie
DCIT
Clemson University

At 12:31 PM 8/26/99 -0400, you wrote:
>On Thu, 26 Aug 1999, Jessica Rasku wrote:
>> On Thu, 26 Aug 1999, Listserv Admin wrote:
>> > On Wed, 25 Aug 1999, Jessica Rasku wrote:
>> > > On Wed, 25 Aug 1999, KEVIN MCKENZIE wrote:
>
>> > These ADD jobs are then sent to listserv (and cc:d to a real person). The
>> > "From:" is the Owner and the password is the Owner's passwd so all
replies
>> > and errors go to the List Owner.
>>
>>         Don't send the actuall add request to your students.  The password
>> is there.  You don't want that....
>
>  I'm sure I don't understand what you mean since ADD requests go to
>listserv@, which is hardcoded in the program. If you mean the list itself,
>well even if that happen, the list is empty since the ADD job is to put
>students on an empty list.
>
>> > from listserv stating that "so many people have been added, etc.," would
>> > go to the real owner and cause sufficient alarm that they would remember
>> > the instructions to contact us.
>>
>>         A person could replace the header with the password, bypassing the
>> ``real owner''.  So, this isn't safe either...
>
>  Maybe you could be a bit more explicit?  What header is actually
>replaced with the password that could cause listserv to bypass the "real
>owner"?
>
>--Trish
>-----------
>Trish Forrest, Queen's University
>
>

ATOM RSS1 RSS2

COMMUNITY.EMAILOGY.COM