 | ||||||
| << Previous | INDEX | Search | src | Set bookmark | Go to bookmark | Next >> |
| ||||||
| |||||||||||||||||||||
Date: Mon, 25 Jun 2001 08:24:10 -0700 (PDT) From: kanda samy <ksamy2000@yahoo.com> To: bugtraq@securityfocus.com Subject: Formmail.pl Exploit - Anti-Spam and security fix available Anti-Spam and security fix available for formmail.pl http://www.mailvalley.com/formmail/ A serious flaw in the popular CGI program Formmail.pl allows spammers to send anonymous emails. This vulnerability has already been exploited by spammers in many installations of Formmail.pl. Reference : http://www.securityfocus.com/templates/archive.pike?list=1&mid=168177 Earlier, two workarounds were suggested: 1) Modify the perl script to disallow the GET method Vulnerability of this workaround : It is possible to write a script that uses POST method to post to formmail even with a faked http_referrer field. So this may not be a permanent solution. 2) Hard-code the recipient's address into the formmail perl script. Limitations of this workaround: This is not at all useful when a single formmail script needs to be used for multiple domains and email addresses. Patched version of the Matt Wright's Formmail.pl is now available. Parameshwar Babu (babuweb@mailvalley.com) has released a patched version of formmmail script that contains a fix to this security hole in the script. The modified script allows you to specify the list of recipient email addresses in a text file. Thus the script can be used to restrict emails so that they would be sent only to authorized addresses. Summary : The patched version of the script : - * Prevents the script from being used by spammers * Allows you to specify a list of recipients in a text file who are authorized to receive emails. * Prevents unauthorised users from fetching your server's environment variables. * Can be used by web-hosting providers, webmasters and anyone who needs to use the same formmail script to several webpages or domains. Another exploit was reported which makes it possible for a remote user to view the Environment and Setup variables of the server running the formmail perl script. Reference : http://www.securityfocus.com/templates/archive.pike?list=1&mid=59441 The patched script mentioned here also prevents an unauthorised user from fetching the environment and setup variables of the server. A patched version of the script can be downloaded from http://www.mailvalley.com/formmail/ __________________________________________________ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail http://personal.mail.yahoo.com/
| |||||||||||||||||||||