hwg-servers archives Aug 2001 new search results previous next

Re: Formmail.pl Exploit - Anti-Spam and security fix available

by "John Romano" <jromano(at)pb.net>

 Date:  Wed, 1 Aug 2001 08:59:15 -0400
 To:  "Rich Bowen" <rbowen(at)rcbowen.com>,
"kanda samy" <ksamy2000(at)yahoo.com>
 Cc:  <hwg-servers(at)hwg.org>
 References:  rcbowen
  todo: View Thread, Original 
Some years ago I had given the formail.pl script to a friend of mine to
rewrite as a project to learn perl. He's an assembler/c/ml programmer and
wanted to get introduced to the wonderful world of web and CGI.

The results were a much cleaner bit of code that had many more features than
formmail, as well as built-in referer checking for security.  It's in the
public domain, so if you're interested here's where you can get it;

http://www.glass-castle.com/joeyform
Joey is the guy who wrote it.

For years I've been using it for all my web hosting clients and have never
had an abuse problem (that I know of).

John Romano
LIHQ/GC
www.glass-castle.com
www.lihq.net



----- Original Message -----
From: "Rich Bowen" <rbowen(at)rcbowen.com>
To: "kanda samy" <ksamy2000(at)yahoo.com>
Cc: <hwg-servers(at)hwg.org>
Sent: Wednesday, August 01, 2001 7:30 AM
Subject: Re: Formmail.pl Exploit - Anti-Spam and security fix available


> On Mon, 30 Jul 2001, kanda samy wrote:
>
> > Anti-Spam and security fix available for formmail.pl
> > http://www.mailvalley.com/formmail/
>
> I would suggest that the best way to patch problems with Matt Wright's
> code is to use different code. Matt's code is (and he fully admits
> this) old, buggy, and should not be used. Not a single piece of Matt's
> stuff has been updated since 1996.
>
> This security vulnerability with formmail.pl was pointed out back in
> 1995, and is a vulnerability with *any* web-based mail form which is
> unauthenticated. There's really no way around that. The proposed
> solutions are only partial solutions. If you're going to allow
> strangers to fill out a form on your web site to send mail, someone is
> going to abuse that. The same thing goes for those delightful
> "postcard" programs.
>
> Ironically, one of my first CGI programs was a postcard program, and I
> have written a replacement for formmamil.pl. (It's called mailform.pl
> and it's on CPAN in the scripts area.) But they are intrinsically
> insecure, because they have form values which determine where to send
> stuff. Someone could exploit them if they really wanted to.
>
> The important thing to remember is not so much that Matt's code is
> buggy, but that any time you put a form on a web page, someone is
> going to attempt to exploit it to do bad things, and you have to
> assume that when you're designing. Security by hidden form fields only
> works for nice people.
>
> --
> Rich Bowen - rbowen(at)rcbowen.com
> Have trouble remembering things?
> http://www.idforgetmyhead.com/
>

HWG: hwg-servers mailing list archives, maintained by Webmasters @ IWA