Bugtraq mailing list archives

formmail patch

From: peter.thompson-yezek () UNI EDU (Peter D. Thompson Yezek)
Date: Fri, 26 May 2000 12:14:10 -0500


Hello,

I've developed a patch for the recently reported problem with Matt
Wright's FormMail script.  The patch listed at
http://www.securityfocus.com/bid/1187 implements an access control of
sorts, but this was not a usable solution at our site.

The following gives the sysadmin the ability to allow certain
environment variables to be reported, but blocks all others.

36a37,42

# @valid_ENV allows the sysadmin to define what environment variables can
# be reported via the env_report directive.  This was implemented to fix
# the problem reported at http://www.securityfocus.com/bid/1187

@valid_ENV = ('REMOTE_HOST','REMOTE_ADDR','REMOTE_USER','HTTP_USER_AGENT');

186a193,204


    # Only allow ENV variables in @valid_ENV in @Env_Report for security
    # reasons.
    foreach $env_item (@Env_Report) {
      foreach $valid_item (@valid_ENV) {
        if ( $env_item eq $valid_item ) {
          push(@temp_array, $env_item);
        }
      }
    }
    @Env_Report = @temp_array;


--
Peter D. Thompson Yezek      .  (319)-273-7390
WWW Tools Specialist         .  Peter.Thompson-Yezek () uni edu
University of Northern Iowa  .  http://www.uni.edu

Current thread:

formmail patch Peter D. Thompson Yezek (May 26)