Bugtraq mailing list archives
Re: CORRECTION to CODE: FormMail.pl can be used to send anonymousemail
From: Scott Buchanan <scott () AXE NET AU>
Date: Tue, 13 Mar 2001 10:14:22 +1100
To reply to all of these messages... Patching FormMail to check the referrer is NOT ample security. It takes about 30 seconds to write a Perl script to POST to FormMail.pl with a faked HTTP_REFERRER field. Probably the only useful solution is to hack the script to use an array of valid email addresses to send to, rather than an array of valid domains to send from.
We host virtual domains and what we did was modify the FormMail.pl script to validate the referrer against a SQL database. This prevents any but local pages from calling our script. In fact we had a customer recently that was ticked off because he had a page on angelfire that he wanted to call our formmail script from that page and it wouldn't work due to the referrer not being listed in the SQL database.
Current thread:
- CORRECTION to CODE: FormMail.pl can be used to send anonymous email Michael Rawls (Mar 11)
- Re: CORRECTION to CODE: FormMail.pl can be used to send anonymous email Palmans Pepijn (Mar 12)
- Re: CORRECTION to CODE: FormMail.pl can be used to send anonymous email Joel Sing (Mar 12)
- Re: CORRECTION to CODE: FormMail.pl can be used to send anonymous email Steffen Dettmer (Mar 12)
- Re: CORRECTION to CODE: FormMail.pl can be used to send anonymous email Steve Reid (Mar 13)
- Re: CORRECTION to CODE: FormMail.pl can be used to send anonymousemail Scott Buchanan (Mar 12)
- Message not available
- Re: CORRECTION to CODE: FormMail.pl can be used to send anonymousemail Scott Buchanan (Mar 13)
- Message not available
- Re: CORRECTION to CODE: FormMail.pl can be used to send anonymous email Steve Reid (Mar 12)