[19628] in bugtraq
Re: CORRECTION to CODE: FormMail.pl can be used to send anonymous
daemon@ATHENA.MIT.EDU (Steve Reid)
Tue Mar 13 19:26:16 2001
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-ID: <20010312205225.A27029@grok.bc.hsia.telus.net>
Date: Mon, 12 Mar 2001 20:52:25 -0800
Reply-To: Steve Reid <sreid@SEA-TO-SKY.NET>
From: Steve Reid <sreid@SEA-TO-SKY.NET>
X-To: Joel Sing <jsing@ORIGIN.NET.AU>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <5.0.2.1.0.20010312143459.02df1ad0@202.139.144.9>; from Joel Sing
on Mon, Mar 12, 2001 at 03:05:59PM +1100
On Mon, Mar 12, 2001 at 03:05:59PM +1100, Joel Sing wrote:
> if ($ENV{'HTTP_REFERER'}) {
> foreach $referer (@referers) {
> if ($ENV{'HTTP_REFERER'} =~ m|https?://([^/]*)$referer|i) {
[snip]
> If the referer doesn't exist the script assumes everything is okay,
That regexp is broken, too. It will match a substring, so the referring
URL doesn't need to _be_ one of the strings listed, it just needs to
_contain_ it.
Not that it really matters compared to the other holes that have been
noticed, but this particular problem could be used to allow a third
party to forward web users to some other site's vulnerable formmail.pl.
For example, suppose you want the benefits of formmail.pl but don't
want to subject your own server to the holes. You could just create a
.html or .cgi that contains the address of a valid referrer in it's
URL, that will forward users to some other site's formmail.pl. (This is
easily traced of course, if the site running the victim formmail.pl
keeps referrer logs.)
