SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
About the Archives
Want to learn about the SecurityTracker archives? We've got answers to frequently asked questions right here
Sign Up!





Category:  Application (Web Server/CGI)  >  FormMail.pl Vendors:  Wright, Matt
Re: FormMail.pl Web-to-Email CGI Script Allows Unauthorized Users to Send Mail (e.g., spam) Anonymously
Date:  Mar 16 2001 05:34 (UTC/GMT)
Impact:  Modification of user information
Description:  A vulnerability has been discovered in the FormMail.pl web-to-email gateway that allows unauthorized users to send spam (junk mail) anonymously.

A user reports his observations that there are several different versions of formmail.pl floating around, some of which may have some forms of anti-spam protection.


Impact:  A user can send fake e-mail or spam e-mail using the FormMail.pl cgi script.
Solution:  No solution was available at the time of entry.
Vendor URL:  http://www.worldwidemart.com/scripts/formmail.shtml
Cause:  Authentication error, Input validation error
Reported By:  Steve Reid <sreid@SEA-TO-SKY.NET>
Message History:   This archive entry is a follow-up to the message listed below.
Mar 16 2001 FormMail.pl Web-to-Email CGI Script Allows Unauthorized Users to Send Mail (e.g., spam) Anonymously


 Message Contents
Date:  Mon, 12 Mar 2001 02:43:02 -0800
From:  Steve Reid <sreid@SEA-TO-SKY.NET>
Subject:  Re: CORRECTION to CODE: FormMail.pl can be used to send anonymous

 

On Sat, Mar 10, 2001 at 05:43:43PM +0000, Michael Rawls wrote:
>    I did a little playing with FormMail.pl after a run in with a spammer
> abusing our webserver. Apparently ALL FormMail.pl cgi-bin scripts can be
> used to spam anonymously.  I found another server with FormMail.pl and
> tried the same exploit to send myself an email and it worked.

There are several different versions of formmail.pl floating around.
I've seen one that did absolutely no checking at all, and one that
would not send mail to any host not listed in /etc/hosts, and a couple
of others with peculiarities I can't recall.

Formmail.pl is a very short and simple script, which makes it easy to
understand and therefor easy to modify. I wouldn't guess at how many
variants are out there.

Given the existence of these variants, I believe the perils of
formmail.pl have been known about for a long time. The original
probably had no spam protection at all, and everyone who discovered
that fact created their own variant. A bugtraq database search brings
up several hits going back as far as 1995, although none of them appear
to be of the type you have reported.


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2001, SecurityGlobal.net LLC