Bugtraq mailing list archives
Re: CORRECTION to CODE: FormMail.pl can be used to send anonymous email
From: Steve Reid <sreid () SEA-TO-SKY NET>
Date: Mon, 12 Mar 2001 20:52:25 -0800
On Mon, Mar 12, 2001 at 03:05:59PM +1100, Joel Sing wrote:
if ($ENV{'HTTP_REFERER'}) {
foreach $referer (@referers) {
if ($ENV{'HTTP_REFERER'} =~ m|https?://([^/]*)$referer|i) {
[snip]
If the referer doesn't exist the script assumes everything is okay,
That regexp is broken, too. It will match a substring, so the referring URL doesn't need to _be_ one of the strings listed, it just needs to _contain_ it. Not that it really matters compared to the other holes that have been noticed, but this particular problem could be used to allow a third party to forward web users to some other site's vulnerable formmail.pl. For example, suppose you want the benefits of formmail.pl but don't want to subject your own server to the holes. You could just create a .html or .cgi that contains the address of a valid referrer in it's URL, that will forward users to some other site's formmail.pl. (This is easily traced of course, if the site running the victim formmail.pl keeps referrer logs.)
Current thread:
- CORRECTION to CODE: FormMail.pl can be used to send anonymous email Michael Rawls (Mar 11)
- Re: CORRECTION to CODE: FormMail.pl can be used to send anonymous email Palmans Pepijn (Mar 12)
- Re: CORRECTION to CODE: FormMail.pl can be used to send anonymous email Joel Sing (Mar 12)
- Re: CORRECTION to CODE: FormMail.pl can be used to send anonymous email Steffen Dettmer (Mar 12)
- Re: CORRECTION to CODE: FormMail.pl can be used to send anonymous email Steve Reid (Mar 13)
- Re: CORRECTION to CODE: FormMail.pl can be used to send anonymousemail Scott Buchanan (Mar 12)
- Message not available
- Re: CORRECTION to CODE: FormMail.pl can be used to send anonymousemail Scott Buchanan (Mar 13)
- Message not available
- Re: CORRECTION to CODE: FormMail.pl can be used to send anonymous email Steve Reid (Mar 12)