Pages: 1
sanshri
Most websites use perl scripts for receiving feedback from their visitors. Many popular websites use Matt's formmail.pl to process feedback forms hosted on their website. However, there is a serious bug in the script that is being exploited by spammers to send junk mails anonymously from the website.
Modified script is now available which allows you to specify the list of recipient email addresses in a text file. The script can be used to restrict emails so that they would be sent only to
authorized addresses.
You can now stop spammers from using the formmail script in your website even if they use spoofed referrers. Also
prevents an unauthorised user from fetching environment variables of your server.
Download the fixed script from
http://www.mailvalley.com/formmail/
Modified script is now available which allows you to specify the list of recipient email addresses in a text file. The script can be used to restrict emails so that they would be sent only to
authorized addresses.
You can now stop spammers from using the formmail script in your website even if they use spoofed referrers. Also
prevents an unauthorised user from fetching environment variables of your server.
Download the fixed script from
http://www.mailvalley.com/formmail/
JTY
Thanks for pointing that out. Even though I don't use it, everyone that does will appreciate it.
Mr Chunder
I think this should be posted on bugtraq.
akashik
Actually it's a pretty old issue with formail. Most people should/would have gotten the updated version by now. I suppose it's not mentioned much as it's considered old news.
Variations of formail have been built by spammers as well to work as bulkmailing programs. They're loaded onto a server by the spammer, then used to generate a few million or so e-mails before they get caught. In this case it's a bit of a dying art as a lot of servers are configured to spot known variants and close them down the moment they get onto the box. (Alabanza servers do this for example).
Abuse of formail does happen, but it's less of an issue than you would first believe.
Greg Moore
Variations of formail have been built by spammers as well to work as bulkmailing programs. They're loaded onto a server by the spammer, then used to generate a few million or so e-mails before they get caught. In this case it's a bit of a dying art as a lot of servers are configured to spot known variants and close them down the moment they get onto the box. (Alabanza servers do this for example).
Abuse of formail does happen, but it's less of an issue than you would first believe.
Greg Moore
ValuableHost
Yes this is an very old issue, not only formmail.pl had this problem, but various other scripts, i think you need to add another "param" to the script. Can't remember now. 
Quote:
|
Originally posted by akashik Actually it's a pretty old issue with formail. Most people should/would have gotten the updated version by now. I suppose it's not mentioned much as it's considered old news. Variations of formail have been built by spammers as well to work as bulkmailing programs. They're loaded onto a server by the spammer, then used to generate a few million or so e-mails before they get caught. In this case it's a bit of a dying art as a lot of servers are configured to spot known variants and close them down the moment they get onto the box. (Alabanza servers do this for example). Abuse of formail does happen, but it's less of an issue than you would first believe. Greg Moore |
sanshri
Quote:
| Actually it's a pretty old issue with formail. Most people should/would have gotten the updated version by now. I suppose it's not mentioned much as it's considered old news. |
Most of the so-called fixes for formmail are still vulnerable to attacks. Some have written fixes that would work for only one domain. The patch available from http://www.mailvalley.com/formmail/
is more flexible but at the same time offers better security. Some providers have simply shutdown the scripts causing a lot of inconvenience to their customers.
Even today, spammers are exploiting vulnerable formmail scripts installed in many websites.