Bugtraq mailing list archives
Formmail.pl Exploit - Anti-Spam and security fix available
From: kanda samy <ksamy2000 () yahoo com>
Date: Mon, 25 Jun 2001 08:24:10 -0700 (PDT)
Anti-Spam and security fix available for formmail.pl http://www.mailvalley.com/formmail/ A serious flaw in the popular CGI program Formmail.pl allows spammers to send anonymous emails. This vulnerability has already been exploited by spammers in many installations of Formmail.pl. Reference : http://www.securityfocus.com/templates/archive.pike?list=1&mid=168177 Earlier, two workarounds were suggested: 1) Modify the perl script to disallow the GET method Vulnerability of this workaround : It is possible to write a script that uses POST method to post to formmail even with a faked http_referrer field. So this may not be a permanent solution. 2) Hard-code the recipient's address into the formmail perl script. Limitations of this workaround: This is not at all useful when a single formmail script needs to be used for multiple domains and email addresses. Patched version of the Matt Wright's Formmail.pl is now available. Parameshwar Babu (babuweb () mailvalley com) has released a patched version of formmmail script that contains a fix to this security hole in the script. The modified script allows you to specify the list of recipient email addresses in a text file. Thus the script can be used to restrict emails so that they would be sent only to authorized addresses. Summary : The patched version of the script : - * Prevents the script from being used by spammers * Allows you to specify a list of recipients in a text file who are authorized to receive emails. * Prevents unauthorised users from fetching your server's environment variables. * Can be used by web-hosting providers, webmasters and anyone who needs to use the same formmail script to several webpages or domains. Another exploit was reported which makes it possible for a remote user to view the Environment and Setup variables of the server running the formmail perl script. Reference : http://www.securityfocus.com/templates/archive.pike?list=1&mid=59441 The patched script mentioned here also prevents an unauthorised user from fetching the environment and setup variables of the server. A patched version of the script can be downloaded from http://www.mailvalley.com/formmail/ __________________________________________________ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail http://personal.mail.yahoo.com/
Current thread:
- Formmail.pl Exploit - Anti-Spam and security fix available kanda samy (Jun 26)