[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-users] don't touch formMail.pl - was Universal CGI-BIN Problem

Subject: [cobalt-users] don't touch formMail.pl - was Universal CGI-BIN Problem
From: Greg Hewitt-Long <greg@xxxxxxxxxxxxxxxxxxx>
Date: Mon Mar 12 20:24:15 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

>Hi, I had a universal CGI-BIN on my RaQ 4r, which I implemented by adding
>"ScriptAlias /cgi-sys/ /usr/cgi-sys/" to the srm.conf. In there I put
>FormMail.pl; this was working fine. Today I noticed it stopped working (it
>may have stopped working before today, I just found out about it today).
>When I try to run the script, I get "The server encountered an internal
>error or misconfiguration and was unable to complete your request."



Sorry, don't know about that....	

>
>I've gone and checked and made sure everything's right (the script is
>chmod-ed to 755, the ScriptAlias line is still in the srm.conf, etc.). I'm
>wondering if one of the Cobalt security patches I've applied to the server
>has messed things up somehow. I tried uploading a "fresh" copy of
>FormMail.pl, and this didn't fix things. Does anyone have any ideas how to
>fix this?


Are you referrring to Matt's Script Archive FormMail.pl?  ie, the v.16. formMail?  If so, I suggest you remove it now you have advertised the fact that you have it....  it's SERIOUSLY flawed script, see this:

http://www.securiteam.com/exploits/FormMail_discloses_environment_variables_information.html

We recently found it on a client site and it had been used at roughly 5,000+ times a day to send homosexual porn site adverts using our sendmail - which of course reports itself as being on our server, and cause it's invoked by a script, doesn't report the initiating IP address!

An example is as follows:

http://www.yourdomain.com/cgi-bin/formmail.pl?env_report=PATH&recipient=youremail@xxxxxxxxxxxxxx&required=&firstname=&lastname=&email=&message=&Submit=this_is_my_message

I've left out the subject field and a few other details, but suffice it to say, that it's possible to send fully customized messages from any copy of formmail.pl and it doesn't appear to respect the @referer list within the script.

HTH

Greg Hewitt-Long


>
>~ Chris Calabrese
>WebWorkshop Webmaster
>http://www.webworkshop.org
>
-- 
http://www.webyourbusiness.com/
Providers of E-Commerce Software &
Web Design Consultancy and Services.
PH: (970)266-0195 FAX: (970)266-0158

Follow-Ups:
- Re: [cobalt-users] don't touch formMail.pl - was Universal CGI-BIN Problem
  - From: Carrie Bartkowiak

References:
- Re: [cobalt-users] Weekly Cron Error zcat
  - From: Colin J. Raven
- Re: [cobalt-users] Weekly Cron Error zcat
  - From: Dan
- [cobalt-users] Universal CGI-BIN Problem
  - From: WebWorkshop

Prev by Date: Re: [cobalt-users] SSH for Mac
Next by Date: [cobalt-users] RE: [cobalt-security] zcat stdout???
Previous by thread: [cobalt-users] Universal CGI-BIN Problem
Next by thread: Re: [cobalt-users] don't touch formMail.pl - was Universal CGI-BIN Problem

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index