Formmail.pl Exploit - Anti-Spam and security fix available

From: kanda samy (ksamy2000at_private)
Date: Mon Jun 25 2001 - 08:24:10 PDT

Next message: Tomek Lipski: "Re: smbd remote file creation vulnerability"

Previous message: kangoo: "MacOSX 10.0.X Permissions uncorrectly set"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Anti-Spam and security fix available for formmail.pl
http://www.mailvalley.com/formmail/

A serious flaw in the popular CGI program Formmail.pl
allows spammers to send 
anonymous emails. This vulnerability has already been
exploited by spammers 
in many installations of Formmail.pl.
Reference : 
http://www.securityfocus.com/templates/archive.pike?list=1&mid=168177

Earlier, two workarounds were suggested:

1) Modify the perl script to disallow the GET method
Vulnerability of this workaround : 
It is possible to write a script that uses POST method
to post to formmail 
even with a faked http_referrer field. So this may not
be a permanent solution.

2) Hard-code the recipient's address into the formmail
perl script.
Limitations of this workaround:
This is not at all useful when a single formmail
script needs to be used for multiple 
domains and email addresses.

Patched version of the Matt Wright's Formmail.pl is
now available.

Parameshwar Babu (babuwebat_private) has released
a patched 
version of  formmmail script that contains a fix to
this security hole in the script. 
The modified script allows you to specify the list of
recipient email addresses 
in a text file. Thus the script can be used to
restrict emails so that they would be 
sent only to authorized addresses.

Summary :  The patched version of the script : - 
* Prevents the script from being used by spammers 
* Allows you to specify a list of recipients in a text
file who are authorized to receive emails. 
* Prevents unauthorised users from fetching your
server's environment variables. 
* Can be used by web-hosting providers, webmasters and
anyone who needs to use 
the same formmail script to several webpages or
domains. 

Another exploit was reported which makes it possible
for a remote user to view the 
Environment and Setup variables of the server running
the formmail perl script. 
Reference : 
http://www.securityfocus.com/templates/archive.pike?list=1&mid=59441

The patched script mentioned here also prevents an
unauthorised user from 
fetching the environment and setup variables of the
server. 

A patched version of the script can be downloaded from
http://www.mailvalley.com/formmail/

__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail
http://personal.mail.yahoo.com/

Next message: Tomek Lipski: "Re: smbd remote file creation vulnerability"
Previous message: kangoo: "MacOSX 10.0.X Permissions uncorrectly set"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jun 26 2001 - 12:26:41 PDT