LPM: security problems with formmail.pl

Tue Mar 20 08:38:09 CST 2001

All,
As part of a security list, I received the following concerning Matt
Wright's formmail.pl program.  Obviously, you want to make sure you are not
using formmail.pl, but also, that you are not doing the same thing yourself.

================================================

  Formmail.pl Can Be Used As An Open Mail Relay
------------------------------------------------------------------------

SUMMARY

The CGI program Formmail.pl lacks adequate security checks and allows
spammers to send anonymous e-mail using vulnerable host as mail relays.
This vulnerability has already been exploit by spammers in many
installations of Formmail.pl.

DETAILS
Matt Wright's formmail.pl program does a "security check" on the
HTTP_REFERER server variable. The security check is usually used to verify
that information submitted from a form came from a proper or designated
domain. This is usually done to prevent someone from creating a local,
malicious form to submit to a script. This can be easily bypassed by
passing a raw HTTP request, and faking the HTTP Referrer. This script also
allows you to set the recipient's email address in the form. These two
factors allow a malicious user to use the formmail.pl program two
distribute their email (SPAM).

Exploit:
A URL such as the following:
http://www.example.com/cgi-bin/FormMail.pl?
recipient=email at address-to-spam.com&message=
Proof%20that%20FormMail.pl%20can%20be%20used%20to%20send%20anonymous%20spam.

Will send an anonymous e-mail if the installed FormMail.pl is vulnerable.

Workaround:
1. Remove your formmail.pl script until the author provides a fix.
or:
2. Hard code the recipient's email address in the formmail.pl program. Do
not rely on the address submitted by the user.

ADDITIONAL INFORMATION

The information has been provided by  <mailto:mike at djcafe.com> Michael
Palamar.

===========================================================

Thanks,

David Pitts
http://www.dpitts.com