[21198] in bugtraq
Formmail.pl Exploit - Anti-Spam and security fix available
daemon@ATHENA.MIT.EDU (kanda samy)
Tue Jun 26 15:26:12 2001
Message-ID: <20010625152410.63222.qmail@web13403.mail.yahoo.com>
Date: Mon, 25 Jun 2001 08:24:10 -0700 (PDT)
From: kanda samy <ksamy2000@yahoo.com>
To: bugtraq@securityfocus.com
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Anti-Spam and security fix available for formmail.pl
http://www.mailvalley.com/formmail/
A serious flaw in the popular CGI program Formmail.pl
allows spammers to send
anonymous emails. This vulnerability has already been
exploited by spammers
in many installations of Formmail.pl.
Reference :
http://www.securityfocus.com/templates/archive.pike?list=1&mid=168177
Earlier, two workarounds were suggested:
1) Modify the perl script to disallow the GET method
Vulnerability of this workaround :
It is possible to write a script that uses POST method
to post to formmail
even with a faked http_referrer field. So this may not
be a permanent solution.
2) Hard-code the recipient's address into the formmail
perl script.
Limitations of this workaround:
This is not at all useful when a single formmail
script needs to be used for multiple
domains and email addresses.
Patched version of the Matt Wright's Formmail.pl is
now available.
Parameshwar Babu (babuweb@mailvalley.com) has released
a patched
version of formmmail script that contains a fix to
this security hole in the script.
The modified script allows you to specify the list of
recipient email addresses
in a text file. Thus the script can be used to
restrict emails so that they would be
sent only to authorized addresses.
Summary : The patched version of the script : -
* Prevents the script from being used by spammers
* Allows you to specify a list of recipients in a text
file who are authorized to receive emails.
* Prevents unauthorised users from fetching your
server's environment variables.
* Can be used by web-hosting providers, webmasters and
anyone who needs to use
the same formmail script to several webpages or
domains.
Another exploit was reported which makes it possible
for a remote user to view the
Environment and Setup variables of the server running
the formmail perl script.
Reference :
http://www.securityfocus.com/templates/archive.pike?list=1&mid=59441
The patched script mentioned here also prevents an
unauthorised user from
fetching the environment and setup variables of the
server.
A patched version of the script can be downloaded from
http://www.mailvalley.com/formmail/
__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail
http://personal.mail.yahoo.com/
