hwg-servers archives Jul 2001 new search results previous next

Formmail.pl Exploit - Anti-Spam and security fix available

by kanda samy <ksamy2000(at)yahoo.com>

 Date:  Mon, 30 Jul 2001 05:17:22 -0700 (PDT)
 To:  hwg-servers(at)hwg.org
  todo: View Thread, Original 
I searched through the archives and it appears this
issue has not been discussed in this list.
Hope the following information will be useful to
members. Those who are on the buqtraq and other
security related lists might be already aware of this
solution.

Anti-Spam and security fix available for formmail.pl
http://www.mailvalley.com/formmail/

A serious flaw in the popular CGI program Formmail.pl
allows spammers to send anonymous emails. This
vulnerability has already been exploited by spammers 
in many installations of Formmail.pl.

Earlier, two workarounds were suggested:

1) Modify the perl script to disallow the GET method
Vulnerability of this workaround : 
It is possible to write a script that uses POST method
to post to formmail 
even with a faked http_referrer field. So this may not
be a permanent solution.

2) Hard-code the recipient's address into the formmail
perl script.
Limitations of this workaround:
This is not at all useful when a single formmail
script needs to be used for multiple 
domains and email addresses.

Patched version of the Matt Wright's Formmail.pl is
now available.

Parameshwar Babu (babuweb(at)mailvalley.com) has released
a patched version of  formmmail script that contains a
fix to this security hole in the script. 
The modified script allows you to specify the list of
recipient email addresses in a text file. Thus the
script can be used to restrict emails so that they
would be sent only to authorized addresses.

Summary :  The patched version of the script : - 
* Prevents the script from being used by spammers 
* Allows you to specify a list of recipients in a text
file who are authorized to receive emails. 
* Prevents unauthorised users from fetching your
server's environment variables. 
* Can be used by web-hosting providers, webmasters and
anyone who needs to use the same formmail script to
several webpages or domains. 

Another exploit was reported which makes it possible
for a remote user to view the Environment and Setup
variables of the server running the formmail perl
script. 

The patched script mentioned here also prevents an
unauthorised user from fetching the environment and
setup variables of the server. 

A patched version of the script can be downloaded from
http://www.mailvalley.com/formmail/


__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/

HWG: hwg-servers mailing list archives, maintained by Webmasters @ IWA