Sign Up Form Confirmation E-mail

[John Jordan]

I really appreciate your observations!
I'm going to take a second look at my other forms. I'll also try turning off SpamAssassin.
I'm going to do a little experimenting with this and get back with you.

You asked if I now received an email notification to the site owner. The answer is still no to that.
Thanks!

[John Jordan]

I said I'd get back, so here we go.
Keep in mind that my web host went out of business and I've switched to a different company and different servers. The new company is very concerned about e-mail security. I'll just say that I did not notice this problem until after the switch.
Next, you will see my response to my web host. Below that is their assessment of the problem.
I appreciate any help I can get with this situation.
Thanks, John

*****************
Well, the form still doesn't work.
Also, I have a form at
http://www.cartercountymarket.com/html/contactus.html
that uses TFmail.pl which, I believe, is like formmail. This form is not working. I'll list the others that aren't working:
http://www.cartercountymarket.com/docs/add.html
http://www.1st-beginners-golf-swing-.../docs/add.html
http://www.marthaskentuckyrecipe.com/docs/add.html

I don't know how that fits in with your explanation.
I'll post this on my thread at:
Sign Up Form Confirmation E-mail
Thanks for your efforts,
John Jordan
****************************
> From: "Rising Web Works Support"
> Date: 2008/02/12 Tue AM 10:16:00 EST
> To: [email]
> Subject: [Support #PAH-926542]: forms - confirmation e-mails
>
> Ok, I jumped over to your account and I think I see the problem here.
>
> See...the server has been changed for security, one of those changes is with the user nobody which apache uses to run. The user nobody is not permitted to send email. Normally this isn't a problem for users with their formmail. The formmail just sends using the username of the executing owner of the account. This is where the problem is. All your files are owned by 'nobody' & world read/writable.
>
> That is a monstrous security problem for you. Anyone, literally, may edit any file owned by nobody via apache. I would request the developers of Soholaunch as to what file ownership and permissions is absolutely required to operate their application and then change accordingly.
>
> In the mean time, I'm going to change the ownership of the index.php file back to fccgrays (you) and you can try sending email via your form now and see if that is going to work for you. However, index.php may (is) executing another script which (most likely) is also owned by the user nobody, in that case the email will fail again.
>
> Its important that the files in your account are owned by your user, please review your script requirements.

[dresswell]

Is your server running php suexec?
It dont sound like it.Go to your sohoadmin and check.
Webmaster > Software Updates >[?] Technical diagnostic info (for Geeks)
It should say there if you are or not.
If not thats a security risk.
Ask them to put you on a php suexec server.
dresswell

[lwyau]

dresswell is correct!

Your host should either implement phpsuexec (with which all PHP scripts run as your username) and clam down mails sent by "nobody", or let "nobody" sends emails since all PHP scripts (not just soho) run as "nobody" without phpsuexec.

Your host is in shady ground when stating "I would request the developers of Soholaunch as to what file ownership and permissions is absolutely required to operate their application and then change accordingly." They should run phpsuexec to ensure a secured PHP environment.

[dresswell]

Some people dont relize that anyone can have a hosting company.
Even a child.It dont mean they know how to run it or keep you safe there.
I would advise anyone who is changing there host/server check into them
first,Not after you have problems.My first host was great.Unfortanly
he passed away.So i looked and asked a lot of questions to a lot of
host/servers and came up with that, a lot of them dont know much
about what they are doing.I found some that did.
So i pestered them ones a bit just to see if they could take a little abuse.
Without horasing them to much.Just to check there knolage and patences.
I Got to say SORRY jenn,But you did pass my tests.With flying colors.
Thats why i got all my accounts with you now.More to come.
I use draknet.net
They know what there doing.
Thats for keeping me safe and my sites up without any problems.
In my oppion the best darn hosting company there is.
dresswell

[John Jordan]

php_suexec is disabled per my admin panel. I've requested to have it enabled.

I'll just post responses.
*******************************
I read the forum post, the replies and these people are mistaken big time.
You ARE on a phpsuexec environment.

My 12 years of technical experience and my 9 years of programming tells me that
having your scripts owned by the user nobody AND moded world read and writable
is NOT a good thing and that my asking what the correct ownership and
permission values is quite legitimate.

Your scripts are currently owned by a user that anyone can use to
add/edit/delete your files. This isn't of our doing, but you or the script
itself.

I will ask again, does soholaunch require you to have these very very insecure
ownership and file permissions. I am going to go with no.

We are not going to remove you out of the phpsuexec environment and we will not
lessen any security policies.
********************
Here is a snippet just so you understand where I am coming from:

-rwxrwxrwx 1 nobody nobody 2164 Feb 12 08:41 pgm-authenticate.php
-rwxrwxrwx 1 nobody nobody 19751 Feb 12 08:41 pgm-auto_menu.php
-rwxrwxrwx 1 nobody nobody 6852 Feb 12 08:41 pgm-blog_display.php
-rwxrwxrwx 1 nobody nobody 2940 Feb 12 08:41 pgm-cal-confirm.php
-rwxrwxrwx 1 nobody nobody 7766 Feb 12 08:41 pgm-cal-details.inc.php
-rwxrwxrwx 1 nobody nobody 15228 Feb 12 08:41 pgm-cal-monthview.php
-rwxrwxrwx 1 nobody nobody 8060 Feb 12 08:41 pgm-cal-submitevent.inc.php
-rwxrwxrwx 1 nobody nobody 38936 Feb 12 08:41 pgm-cal-system.php
-rwxrwxrwx 1 nobody nobody 6067 Feb 12 08:41 pgm-cal-weekview.php
-rwxrwxrwx 1 nobody nobody 1875 Feb 12 08:41 pgm-download_media.php

See that rwxrwxrwx plus those two "nobody"

That means your file ownership AND permissions are simply way to open. No
matter what environment your in period. Anyone can modify those files above
because someone(the script or webmaster) made them that way.

[John Jordan]

Keep in mind that my other forms (see my post above) are not sending confirmation e-mails. I know that's not a Soholaunch situation, but I'm just trying to provide complete information. I've looked at the cfg settings. Might be some strange coincidence.
Thanks,
John

[dresswell]

Once you get them to enable php_suexec.
You can set your permissions to 755
User rwxrwxrwx group rwxrwxrwx
This will make you as secure as possable.
Once you do that you may want to check
your sohoadmin>webmaster> Software Updates >
[?] Technical diagnostic info (for Geeks)
And make sure you have (chmod to 777 after updating?
Set to no),otherwise your permissions will convert to 777
Wide open when u update it.
dresswell

[lwyau]

Just make sure phpsuexec is running and ask your host to reset all sohoadmin folders and files from "nobody" to your username with 755 permission settings.

[John Jordan]

To make a long story short. My new web host was started by employees of the host that failed (owner went awol). For now, I'd like to give them the benefit of the doubt and a chance to make things work.
Here's my the latest submission to the support request thread addressing this whole problem. I just wondered in anyone here had any thoughts.
Thanks, John

************************
I'm concerned that the problem may be more than Soholaunch and related settings.

As I mentioned before, I have a form at
http://www.cartercountymarket.com/html/contactus.html
that uses TFmail (TFmailx.pl) which, I believe, is like formmail.
The following forms are Link v1.01 by Widexl.com:
http://www.cartercountymarket.com/docs/add.html
http://www.1st-beginners-golf-swing-.../docs/add.html
http://www.marthaskentuckyrecipe.com/docs/add.html

So, I've got 3 different programs (Soholaunch/TFmail/Link) that are no longer sending e-mails. Could it be a problem with the server's sendmail program, for example?
Again, just my un-technical observation.
Thanks, John Jordan