[28572] in bugtraq
Re: XSS (Cross Site Scripting) on FormMail.CGI
daemon@ATHENA.MIT.EDU (Scott Buchanan)
Wed Jan 22 20:01:54 2003
Message-ID: <3E2CB8B7.1030206@axe.net.au>
Date: Tue, 21 Jan 2003 14:04:23 +1100
From: Scott Buchanan <scott.buchanan@axe.net.au>
MIME-Version: 1.0
To: Rynho Zeros Web <hackargentino@gmx.net>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
According to the script at: http://www.l-c-u.com.ar/cgi-sys/FormMail.cgi
which says:
FormMail-Clone
This is FormMail-clone, a clone of FormMail.cgi. It is a clean room version
for legal purposes (a less restrictive liscense), but should behave the
exact same way as Matt Wright's Original, but contain none of his code.
it isn't the same script as: http://www.scriptarchive.com/formmail.html
It is nice to see that Matt Wright has finally updated FormMail to be less
SPAM friendly, but there have been a few more secure alternatives around
for a while - there's even a link to 'NMS' FormMail on the Script Archive page.
Rynho Zeros Web wrote:
> #############################################################
>
> Topic: XSS (Cross Site Scripting) on FormMail.CGI
> Version: 1.92
> Released: April 21, 2002
> Manufacturer: http://www.scriptarchive.com/formmail.html
>
> By XyborG - xyborg@bigfoot.com - http://www.rzweb.com.ar/
>
> #############################################################
>
>
> Formmai.cgi, it is a utility that serves to send forms by email, among other
> uses.
>
> The operation is simple. To see example:
>
>
> http://www.l-c-u.com.ar/cgi-sys/FormMail.cgi?<script>alert("<center>Sorry,this\nis\nthe\nsecurity\nsite?\nNo_lo_Creo\n\nCyervo_Lamos...");</script>
>
> Duh!
>
> #############################################################
>
> Topic: XSS (Cross Site Scripting) on FormMail.CGI
> Version: 1.92
> Released: April 21, 2002
> Manufacturer: http://www.scriptarchive.com/formmail.html
>
> By XyborG - xyborg@bigfoot.com - http://www.rzweb.com.ar/
>
> #############################################################
>
--
regards,
scott buchanan / systems engineer
scott.buchanan@axegroup.com.au
axe group 51a hume street crows nest nsw 2065 australia
abn 62 095 107 814 t +61 2 9966 9336
f +61 2 9966 9337
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify axe group.
