LPM: security problems with formmail.pl
David Pitts
dpitts at mk.net
Tue Mar 20 08:38:09 CST 2001
All,
As part of a security list, I received the following concerning Matt
Wright's formmail.pl program. Obviously, you want to make sure you are not
using formmail.pl, but also, that you are not doing the same thing yourself.
================================================
Formmail.pl Can Be Used As An Open Mail Relay
------------------------------------------------------------------------
SUMMARY
The CGI program Formmail.pl lacks adequate security checks and allows
spammers to send anonymous e-mail using vulnerable host as mail relays.
This vulnerability has already been exploit by spammers in many
installations of Formmail.pl.
DETAILS
Matt Wright's formmail.pl program does a "security check" on the
HTTP_REFERER server variable. The security check is usually used to verify
that information submitted from a form came from a proper or designated
domain. This is usually done to prevent someone from creating a local,
malicious form to submit to a script. This can be easily bypassed by
passing a raw HTTP request, and faking the HTTP Referrer. This script also
allows you to set the recipient's email address in the form. These two
factors allow a malicious user to use the formmail.pl program two
distribute their email (SPAM).
Exploit:
A URL such as the following:
http://www.example.com/cgi-bin/FormMail.pl?
recipient=email at address-to-spam.com&message=
Proof%20that%20FormMail.pl%20can%20be%20used%20to%20send%20anonymous%20spam.
Will send an anonymous e-mail if the installed FormMail.pl is vulnerable.
Workaround:
1. Remove your formmail.pl script until the author provides a fix.
or:
2. Hard code the recipient's email address in the formmail.pl program. Do
not rely on the address submitted by the user.
ADDITIONAL INFORMATION
The information has been provided by <mailto:mike at djcafe.com> Michael
Palamar.
===========================================================
Thanks,
David Pitts
http://www.dpitts.com
More information about the Lexington-pm
mailing list