Formmail.pl (Matt Wright's script from worldwidemart.com/scripts) has several well known holes which let spammers exploit it. This fix looks quite OK to me. Checks allowed recipients from a file instead of hardcoding recipiente addresses, and also looks like it fixes a couple of other holes. <http://www.mailvalley.com/formmail/> I'm not too good at perl - so if some of y'all check it out and let these guys know, it'll be great I guess. [they make a couple of fairly good softwares I have installed on 'doze based client machines - pppshar and netmailshar] --suresh ----- Forwarded message from J Bacher ----- > >Date: Mon, 25 Jun 2001 08:24:10 -0700 (PDT) > >From: kanda samy <[EMAIL PROTECTED]> > >Subject: Formmail.pl Exploit - Anti-Spam and security fix available > >To: [EMAIL PROTECTED] > >X-Status: > > > >Anti-Spam and security fix available for formmail.pl > >http://www.mailvalley.com/formmail/ > > > >A serious flaw in the popular CGI program Formmail.pl > >allows spammers to send > >anonymous emails. This vulnerability has already been > >exploited by spammers > >in many installations of Formmail.pl. > >Reference : > >http://www.securityfocus.com/templates/archive.pike?list=1&mid=168177 > > > >Earlier, two workarounds were suggested: > > > >1) Modify the perl script to disallow the GET method > >Vulnerability of this workaround : > >It is possible to write a script that uses POST method > >to post to formmail > >even with a faked http_referrer field. So this may not > >be a permanent solution. > > > >2) Hard-code the recipient's address into the formmail > >perl script. > >Limitations of this workaround: > >This is not at all useful when a single formmail > >script needs to be used for multiple > >domains and email addresses. > > > >Patched version of the Matt Wright's Formmail.pl is > >now available. > > > >Parameshwar Babu ([EMAIL PROTECTED]) has released > >a patched > >version of formmmail script that contains a fix to > >this security hole in the script. > >The modified script allows you to specify the list of > >recipient email addresses > >in a text file. Thus the script can be used to > >restrict emails so that they would be > >sent only to authorized addresses. > > > >Summary : The patched version of the script : - > >* Prevents the script from being used by spammers > >* Allows you to specify a list of recipients in a text > >file who are authorized to receive emails. > >* Prevents unauthorised users from fetching your > >server's environment variables. > >* Can be used by web-hosting providers, webmasters and > >anyone who needs to use > >the same formmail script to several webpages or > >domains. > > > >Another exploit was reported which makes it possible > >for a remote user to view the > >Environment and Setup variables of the server running > >the formmail perl script. > >Reference : > >http://www.securityfocus.com/templates/archive.pike?list=1&mid=59441 > > > >The patched script mentioned here also prevents an > >unauthorised user from > >fetching the environment and setup variables of the > >server. > > > >A patched version of the script can be downloaded from > >http://www.mailvalley.com/formmail/ ----- End forwarded message ----- _______________________________________________ linux-india-help mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/linux-india-help
