At 12:57 PM -0500 3/28/02, Stefan Jeglinski imposed structure on a stream of electrons, yielding: >>Incidentally, if you are using Matt Wright's formmail.pl, STOP. >>That script has serious security problems by design. > >Even with the so-called 'security' changes made in 1.6 -> 1.9? Can >you clarify? Are there some links and analysis anywhere discussing >this more?
http://online.securityfocus.com/cgi-bin/vulns.pl is a great resource. Just select the vendor, product, and version and you will get a list. 3 items show up for formmail 1.9. They are at: http://online.securityfocus.com/bid/2469 http://online.securityfocus.com/bid/3954 http://online.securityfocus.com/bid/3955 essentially: formmail is open to people spamming through your machine. >> I would go so far as to say that using anything by Matt Wright is >>unwise, but that's just because I've read a lot of his code. > >Are there any good alternatives (perl scripts or other) to >accomplish the mailing of forms? One alternative is to fix formmail so that it cannot be directed to mail to any address except the one you want it to mail to. Another better choice is at http://nms-cgi.sourceforge.net/ Note the over-arching point of that project is to eradicate Matt Wright's junk scripts from the net. the cool part of this is that the replacements are actually maintained by people who can be reasonably called Perl programmers, as opposed to Matt Wright. -- Bill Cole [EMAIL PROTECTED] ############################################################# This message is sent to you because you are subscribed to the mailing list <[EMAIL PROTECTED]>. To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
