LPM: security problems with formmail.pl
Joe Hourcle
oneiros at dcr.net
Tue Mar 20 14:37:27 CST 2001
On Tue, 20 Mar 2001, Matt Cashner wrote:
> On Tue, 20 Mar 2001, David Pitts wrote:
>
> > All,
> > As part of a security list, I received the following concerning Matt
> > Wright's formmail.pl program. Obviously, you want to make sure you are not
> > using formmail.pl, but also, that you are not doing the same thing yourself.
>
> actually this hole and many others like it have been known for eons in Matt
> Wright's code. Wright even knows about them, admits them, and refuses to
> fix them. the real question is: why are you (general you, not anyone in
> specific) still using Matt Wright's b0rk3n perl4 code?
For those not familiar with Matt Wright, he's the one responsible for the
infamous 'wwwboard'. [Which coincidentally was the only place I ever saw
year 19100.]
Interestingly enough, the readme contains the present version information:
##############################################################################
# WWWBoard Version 2.0 ALPHA 2.1 #
# Copyright 1996 Matt Wright mattw at worldwidemart.com #
# Created 10/21/95 Last Modified 11/25/95 #
# Security Patches/Bug Fixes: January 07, 2000 #
# Scripts Archive at: http://www.worldwidemart.com/scripts/ #
##############################################################################
[Hmm...written well before perl5, and the only modification listed was
right after y2k...and it's released as _alpha_ code]
-Joe
More information about the Lexington-pm
mailing list