OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: kanda samy (ksamy2000yahoo.com)
Date: Mon Jun 25 2001 - 10:24:10 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Anti-Spam and security fix available for formmail.pl
    http://www.mailvalley.com/formmail/

    A serious flaw in the popular CGI program Formmail.pl
    allows spammers to send
    anonymous emails. This vulnerability has already been
    exploited by spammers
    in many installations of Formmail.pl.
    Reference :
    http://www.securityfocus.com/templates/archive.pike?list=1&mid=168177

    Earlier, two workarounds were suggested:

    1) Modify the perl script to disallow the GET method
    Vulnerability of this workaround :
    It is possible to write a script that uses POST method
    to post to formmail
    even with a faked http_referrer field. So this may not
    be a permanent solution.

    2) Hard-code the recipient's address into the formmail
    perl script.
    Limitations of this workaround:
    This is not at all useful when a single formmail
    script needs to be used for multiple
    domains and email addresses.

    Patched version of the Matt Wright's Formmail.pl is
    now available.

    Parameshwar Babu (babuwebmailvalley.com) has released
    a patched
    version of formmmail script that contains a fix to
    this security hole in the script.
    The modified script allows you to specify the list of
    recipient email addresses
    in a text file. Thus the script can be used to
    restrict emails so that they would be
    sent only to authorized addresses.

    Summary : The patched version of the script : -
    * Prevents the script from being used by spammers
    * Allows you to specify a list of recipients in a text
    file who are authorized to receive emails.
    * Prevents unauthorised users from fetching your
    server's environment variables.
    * Can be used by web-hosting providers, webmasters and
    anyone who needs to use
    the same formmail script to several webpages or
    domains.

    Another exploit was reported which makes it possible
    for a remote user to view the
    Environment and Setup variables of the server running
    the formmail perl script.
    Reference :
    http://www.securityfocus.com/templates/archive.pike?list=1&mid=59441

    The patched script mentioned here also prevents an
    unauthorised user from
    fetching the environment and setup variables of the
    server.

    A patched version of the script can be downloaded from
    http://www.mailvalley.com/formmail/

    __________________________________________________
    Do You Yahoo!?
    Get personalized email addresses from Yahoo! Mail
    http://personal.mail.yahoo.com/