mailing list archives
Formmail.pl Exploit - Anti-Spam and security fix available
From: kanda samy <ksamy2000 () yahoo com>
Date: Mon, 25 Jun 2001 08:24:10 -0700 (PDT)
Anti-Spam and security fix available for formmail.pl
A serious flaw in the popular CGI program Formmail.pl
allows spammers to send
anonymous emails. This vulnerability has already been
exploited by spammers
in many installations of Formmail.pl.
Earlier, two workarounds were suggested:
1) Modify the perl script to disallow the GET method
Vulnerability of this workaround :
It is possible to write a script that uses POST method
to post to formmail
even with a faked http_referrer field. So this may not
be a permanent solution.
2) Hard-code the recipient's address into the formmail
Limitations of this workaround:
This is not at all useful when a single formmail
script needs to be used for multiple
domains and email addresses.
Patched version of the Matt Wright's Formmail.pl is
Parameshwar Babu (babuweb () mailvalley com) has released
version of formmmail script that contains a fix to
this security hole in the script.
The modified script allows you to specify the list of
recipient email addresses
in a text file. Thus the script can be used to
restrict emails so that they would be
sent only to authorized addresses.
Summary : The patched version of the script : -
* Prevents the script from being used by spammers
* Allows you to specify a list of recipients in a text
file who are authorized to receive emails.
* Prevents unauthorised users from fetching your
server's environment variables.
* Can be used by web-hosting providers, webmasters and
anyone who needs to use
the same formmail script to several webpages or
Another exploit was reported which makes it possible
for a remote user to view the
Environment and Setup variables of the server running
the formmail perl script.
The patched script mentioned here also prevents an
unauthorised user from
fetching the environment and setup variables of the
A patched version of the script can be downloaded from
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail
- Formmail.pl Exploit - Anti-Spam and security fix available kanda samy (Jun 26)