Bugtraq mailing list archives

Re: CORRECTION to CODE: FormMail.pl can be used to send anonymousemail

From: Scott Buchanan <scott () AXE NET AU>
Date: Tue, 13 Mar 2001 10:14:22 +1100

To reply to all of these messages... Patching FormMail to check the referrer
is NOT ample security. It takes about 30 seconds to write a Perl script to
POST to FormMail.pl with a faked HTTP_REFERRER field.

Probably the only useful solution is to hack the script to use an array of
valid email addresses to send to, rather than an array of valid domains to
send from.

We host virtual domains and what we did was modify the FormMail.pl script to
validate the referrer against a SQL database.  This prevents any but local
pages from calling our script. In fact we had a customer recently that was
ticked off because he had a page on angelfire that he wanted to call our
formmail script from that page and it wouldn't work due to the referrer
not being listed in the SQL database.

Current thread:

CORRECTION to CODE: FormMail.pl can be used to send anonymous email Michael Rawls (Mar 11)
- Re: CORRECTION to CODE: FormMail.pl can be used to send anonymous email Palmans Pepijn (Mar 12)
  - Re: CORRECTION to CODE: FormMail.pl can be used to send anonymous email Peter W (Mar 12)
- Re: CORRECTION to CODE: FormMail.pl can be used to send anonymous email Joel Sing (Mar 12)
  - Re: CORRECTION to CODE: FormMail.pl can be used to send anonymous email Steffen Dettmer (Mar 12)
  - Re: CORRECTION to CODE: FormMail.pl can be used to send anonymous email Steve Reid (Mar 13)
- Re: CORRECTION to CODE: FormMail.pl can be used to send anonymousemail Scott Buchanan (Mar 12)
  - Message not available
    - Re: CORRECTION to CODE: FormMail.pl can be used to send anonymousemail Scott Buchanan (Mar 13)
- Re: CORRECTION to CODE: FormMail.pl can be used to send anonymous email Steve Reid (Mar 12)