LPM: security problems with formmail.pl

Rich Bowen rbowen at rcbowen.com
Tue Mar 20 09:13:50 CST 2001


David Pitts wrote:
> 
> All,
> As part of a security list, I received the following concerning Matt
> Wright's formmail.pl program.  Obviously, you want to make sure you are not
> using formmail.pl, but also, that you are not doing the same thing yourself.

On CPAN, in the Scripts area, you'll find mailform.pl, which is a
replacement for this sort of functionality. It used Mail::Sendmail to
send the messages, so it is platform independant. It uses Text::Template
to format the email message itself. And it used CGI_Lite for the CGI
functionality, whereas formmail does it in the CGI code, and does not do
taint checking on stuff. However, it should not be thought that this
gets around most of the real security concerns with using a email form
in the first place.

"Security" by HTTP_REFERER (or any other browser-set ENV variable) is
just plain silly, and shows very little understanding of HTTP.
"Security" by hidden form variables is just plain silly, and shows very
little understanding of HTML, browsers, and web users. "Security" by the
advanced technique called "hoping nobody notices" combined with the more
advanced technique called "oh, our users would never do that" is just
plain silly, and shows insufficient paranoia, and a lack of
understanding of the script kiddie mentality.

If you put a email form on your web site, people are going to abuse it.
Same with guestbooks, discussion forums, and whatever else you care to
put on your web site that allows users to participate in creating your
content. It's all part of the game.

-- 
Rich Bowen <rbowen at rcbowen.com>
Come see me at Apachecon! -- http://www.apachecon.com/



More information about the Lexington-pm mailing list