Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Formmail.pl Exploit - Anti-Spam and security fix available

From: kanda samy <ksamy2000 () yahoo com>
Date: Mon, 25 Jun 2001 08:24:10 -0700 (PDT)
Anti-Spam and security fix available for formmail.pl
http://www.mailvalley.com/formmail/

A serious flaw in the popular CGI program Formmail.pl
allows spammers to send 
anonymous emails. This vulnerability has already been
exploited by spammers 
in many installations of Formmail.pl.
Reference : 
http://www.securityfocus.com/templates/archive.pike?list=1&mid=168177

Earlier, two workarounds were suggested:

1) Modify the perl script to disallow the GET method
Vulnerability of this workaround : 
It is possible to write a script that uses POST method
to post to formmail 
even with a faked http_referrer field. So this may not
be a permanent solution.

2) Hard-code the recipient's address into the formmail
perl script.
Limitations of this workaround:
This is not at all useful when a single formmail
script needs to be used for multiple 
domains and email addresses.

Patched version of the Matt Wright's Formmail.pl is
now available.

Parameshwar Babu (babuweb () mailvalley com) has released
a patched 
version of  formmmail script that contains a fix to
this security hole in the script. 
The modified script allows you to specify the list of
recipient email addresses 
in a text file. Thus the script can be used to
restrict emails so that they would be 
sent only to authorized addresses.

Summary :  The patched version of the script : - 
* Prevents the script from being used by spammers 
* Allows you to specify a list of recipients in a text
file who are authorized to receive emails. 
* Prevents unauthorised users from fetching your
server's environment variables. 
* Can be used by web-hosting providers, webmasters and
anyone who needs to use 
the same formmail script to several webpages or
domains. 

Another exploit was reported which makes it possible
for a remote user to view the 
Environment and Setup variables of the server running
the formmail perl script. 
Reference : 
http://www.securityfocus.com/templates/archive.pike?list=1&mid=59441

The patched script mentioned here also prevents an
unauthorised user from 
fetching the environment and setup variables of the
server. 

A patched version of the script can be downloaded from
http://www.mailvalley.com/formmail/

__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail
http://personal.mail.yahoo.com/
Previous By Date Next
Previous By Thread Next

Current thread: