Re: Formmail.pl Exploit - Anti-Spam and security fix available

Hi all,

Although I am not a 'seasoned' cgi scripter by any streach, I have found =
that renaming the formmail.pl script seems to help keep out the =
spammers. I also make use of the referer arry, but I do know that faked =
referers can get around this.

F.Y.I. Matt has updated the script a day or two ago.

http://www.worldwidemart.com/scripts/formmail.shtml

He insists everyone should update.

Regards,

-Grant

Grant W. Peel
Technical Administrator
The Net Now - Expresshost
grant(at)thenetnow.com
http://thenetnow.com

----- Original Message -----=20
From: "John Romano" <jromano(at)pb.net>
To: "Rich Bowen" <rbowen(at)rcbowen.com>; "kanda samy" =
<ksamy2000(at)yahoo.com>
Cc: <hwg-servers(at)hwg.org>
Sent: Wednesday, August 01, 2001 8:59 AM
Subject: Re: Formmail.pl Exploit - Anti-Spam and security fix available


> Some years ago I had given the formail.pl script to a friend of mine =
to
> rewrite as a project to learn perl. He's an assembler/c/ml programmer =
and
> wanted to get introduced to the wonderful world of web and CGI.
>=20
> The results were a much cleaner bit of code that had many more =
features than
> formmail, as well as built-in referer checking for security.  It's in =
the
> public domain, so if you're interested here's where you can get it;
>=20
> http://www.glass-castle.com/joeyform
> Joey is the guy who wrote it.
>=20
> For years I've been using it for all my web hosting clients and have =
never
> had an abuse problem (that I know of).
>=20
> John Romano
> LIHQ/GC
> www.glass-castle.com
> www.lihq.net
>=20
>=20
>=20
> ----- Original Message -----
> From: "Rich Bowen" <rbowen(at)rcbowen.com>
> To: "kanda samy" <ksamy2000(at)yahoo.com>
> Cc: <hwg-servers(at)hwg.org>
> Sent: Wednesday, August 01, 2001 7:30 AM
> Subject: Re: Formmail.pl Exploit - Anti-Spam and security fix =
available
>=20
>=20
> > On Mon, 30 Jul 2001, kanda samy wrote:
> >
> > > Anti-Spam and security fix available for formmail.pl
> > > http://www.mailvalley.com/formmail/
> >
> > I would suggest that the best way to patch problems with Matt =
Wright's
> > code is to use different code. Matt's code is (and he fully admits
> > this) old, buggy, and should not be used. Not a single piece of =
Matt's
> > stuff has been updated since 1996.
> >
> > This security vulnerability with formmail.pl was pointed out back in
> > 1995, and is a vulnerability with *any* web-based mail form which is
> > unauthenticated. There's really no way around that. The proposed
> > solutions are only partial solutions. If you're going to allow
> > strangers to fill out a form on your web site to send mail, someone =
is
> > going to abuse that. The same thing goes for those delightful
> > "postcard" programs.
> >
> > Ironically, one of my first CGI programs was a postcard program, and =
I
> > have written a replacement for formmamil.pl. (It's called =
mailform.pl
> > and it's on CPAN in the scripts area.) But they are intrinsically
> > insecure, because they have form values which determine where to =
send
> > stuff. Someone could exploit them if they really wanted to.
> >
> > The important thing to remember is not so much that Matt's code is
> > buggy, but that any time you put a form on a web page, someone is
> > going to attempt to exploit it to do bad things, and you have to
> > assume that when you're designing. Security by hidden form fields =
only
> > works for nice people.
> >
> > --
> > Rich Bowen - rbowen(at)rcbowen.com
> > Have trouble remembering things?
> > http://www.idforgetmyhead.com/
> >
>=20
>=20

HWG: hwg-servers mailing list archives, maintained by Webmasters @ IWA