Stephen Poley <sb************ ******@xs4all.n l> said:
If the server is correctly configured it is not possible for anyone
external to access cgi-bin. If it is incorrectly configured,
address-harvesters still wouldn't find the address unless someone has
linked to the file concerned.
"Shmuel (Seymour J.) Metz" <sp******@libra ry.lspace.org.i nvalid> posted:
But the whole point of a CGI program is to link to it.
Yes, they can refer to the resource. They can send it data, and see the
results, but they can't see what's written inside the CGI program itself.
If you had something like /cgi-bin/myscript.pl and tried to load that file
directly in the browser, you wouldn't get the source code for it, you'd get
whatever the program does when it's RUN without input data (probably an
error message). But normally you get whatever the program does when it's
run with input data.
If you look at something like the NMS alternative to Matt's form mail
script, you can see a better way of offering mail forms. Rather than your
HTML form containing recipient addresses, where they're there for all to
see and and harvest, it contains ambiguous references (aliases). Inside
the script there's a table of what addresses those references should be
used to deliver to. Nobody else on the internet can read into the contents
of that file and harvest the addresses.
e.g. It works in this fashion:
In your HTML form you'd have something like:
<input type="hidden" name="recipient " value="me">
In the formmail script, you'd have data that correlates "me"
to an address to send the form data:
%recipient_alia s = (
'me' => 't**@example.co m',
'you' => 'j******@exampl e.com',
)
--
If you insist on e-mailing me, use the reply-to address (it's real but
temporary). But please reply to the group, like you're supposed to.
This message was sent without a virus, please delete some files yourself.