[19626] in bugtraq
Re: CORRECTION to CODE: FormMail.pl can be used to send
daemon@ATHENA.MIT.EDU (Scott Buchanan)
Tue Mar 13 19:21:13 2001
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <3AAD584E.405B5FBB@axe.net.au>
Date: Tue, 13 Mar 2001 10:14:22 +1100
Reply-To: Scott Buchanan <scott@AXE.NET.AU>
From: Scott Buchanan <scott@AXE.NET.AU>
To: BUGTRAQ@SECURITYFOCUS.COM
To reply to all of these messages... Patching FormMail to check the referrer
is NOT ample security. It takes about 30 seconds to write a Perl script to
POST to FormMail.pl with a faked HTTP_REFERRER field.
Probably the only useful solution is to hack the script to use an array of
valid email addresses to send to, rather than an array of valid domains to
send from.
> We host virtual domains and what we did was modify the FormMail.pl script to
> validate the referrer against a SQL database. This prevents any but local
> pages from calling our script. In fact we had a customer recently that was
> ticked off because he had a page on angelfire that he wanted to call our
> formmail script from that page and it wouldn't work due to the referrer
> not being listed in the SQL database.
