(A Patch Is Released) Re: FormMail.pl Web-to-Email CGI Script Allows Unauthorized Users to Send Mail (e.g., spam) Anonymously
|
Date: Jun 26 2001 21:30 (UTC/GMT)
|
Impact: Modification of user information
|
Fix Available: Yes
|
Description: A vulnerability has been discovered in the FormMail.pl web-to-email gateway that allows unauthorized users to send spam (junk mail) anonymously.
Because the cgi script trusts user-supplied input (which cannot be trusted), the resulting email that the script sends out can appear
to come from a non-existent or a forged address. The e-mail will not show the spammer's real IP address. However, the web server's
log files will record the spammer's IP address.
|
Impact: A user can send fake e-mail or spam e-mail using the FormMail.pl cgi script.
|
Solution: A patch has been released and is available from: http://www.mailvalley.com/formmail/
See the Source Message for the details.
|
Vendor URL: www.worldwidemart.com/scripts/formmail.shtml (Links to External Site)
|
Cause: Authentication error, Input validation error
|
Underlying OS: Linux (Any), UNIX (Any)
|
Reported By: kanda samy <ksamy2000@yahoo.com>
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Mon, 25 Jun 2001 08:24:10 -0700 (PDT)
From: kanda samy <ksamy2000@yahoo.com>
Subject: Formmail.pl Exploit - Anti-Spam and security fix available
|
Anti-Spam and security fix available for formmail.pl
http://www.mailvalley.com/formmail/
A serious flaw in the popular CGI program Formmail.pl
allows spammers to send
anonymous emails. This vulnerability has already been
exploited by spammers
in many installations of Formmail.pl.
Reference :
http://www.securityfocus.com/templates/archive.pike?list=1&mid=168177
Earlier, two workarounds were suggested:
1) Modify the perl script to disallow the GET method
Vulnerability of this workaround :
It is possible to write a script that uses POST method
to post to formmail
even with a faked http_referrer field. So this may not
be a permanent solution.
2) Hard-code the recipient's address into the formmail
perl script.
Limitations of this workaround:
This is not at all useful when a single formmail
script needs to be used for multiple
domains and email addresses.
Patched version of the Matt Wright's Formmail.pl is
now available.
Parameshwar Babu (babuweb@mailvalley.com) has released
a patched
version of formmmail script that contains a fix to
this security hole in the script.
The modified script allows you to specify the list of
recipient email addresses
in a text file. Thus the script can be used to
restrict emails so that they would be
sent only to authorized addresses.
Summary : The patched version of the script : -
* Prevents the script from being used by spammers
* Allows you to specify a list of recipients in a text
file who are authorized to receive emails.
* Prevents unauthorised users from fetching your
server's environment variables.
* Can be used by web-hosting providers, webmasters and
anyone who needs to use
the same formmail script to several webpages or
domains.
Another exploit was reported which makes it possible
for a remote user to view the
Environment and Setup variables of the server running
the formmail perl script.
Reference :
http://www.securityfocus.com/templates/archive.pike?list=1&mid=59441
The patched script mentioned here also prevents an
unauthorised user from
fetching the environment and setup variables of the
server.
A patched version of the script can be downloaded from
http://www.mailvalley.com/formmail/
__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail
http://personal.mail.yahoo.com/
|
|
