[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] don't touch formMail.pl - was Universal CGI-BIN Problem

Subject: Re: [cobalt-users] don't touch formMail.pl - was Universal CGI-BIN Problem
From: Greg Hewitt-Long <greg@xxxxxxxxxxxxxxxxxxx>
Date: Mon Mar 12 22:21:10 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

> > Are you referrring to Matt's Script Archive FormMail.pl?  ie, the v.16.
>formMail?  If so, I suggest you remove it now you have advertised the fact
>that you have >it....  it's SERIOUSLY flawed script
>
>I highly agree. Most users can't get it to work without commenting out the
>referrer-checking code, and once they do that, your machine is an open spam
>server.
>I recommend to all of my users that they *not* use FormMail - but after some
>heavy thinking, I'm going to completely ban usage of it.
>Anyone have a cron script handy that will do a locate for formmail.pl (in
>all case-sensitive possibilities) and delete all copies that it finds?


Try this in a script run by cron:


#!/bin/sh
/bin/find / \( -name 'F*' -o -name 'f*' \) -type f -print | grep -i formmail | while read FILE
do
   NEWFILE=`echo $FILE | sed 's/$/.REMOVED/'
   echo "mv $FILE $NEWFILE"
   mv $FILE $NEWFILE
done | tee -a somelogfile

>
>>see this:
>>
>>
>http://www.securiteam.com/exploits/FormMail_discloses_environment_variables_
>information.html


You need to paste the wrapped bit onto the end of the first part, or visit google.com and search for 'formmail exploit' - the site I pasted was the second on the list.

>
>I couldn't get this URL to work but I did back it up to the /exploits and
>was presented with a list of hacks and exploits that frankly just makes me
>want to shut down the server and close up shop. Egads, batman.
>And the bad thing is, they put up the exploit in full source - a hacker's
>dream come true. Would it not be sufficient to say that the exploit does
>this or that by exploiting this or that vulnerability, and not give away the
>actual exploit? IMHO, this site does more to promote hacking and exploiting
>than it does to promote securing your server/site. Full posting of the
>source exploits is nothing less than irresponsible.
>
>Carrie
>
>_______________________________________________
>cobalt-users mailing list
>cobalt-users@xxxxxxxxxxxxxxx
>To Subscribe or Unsubscribe, please go to:
>http://list.cobalt.com/mailman/listinfo/cobalt-users

-- 
http://www.webyourbusiness.com/
Providers of E-Commerce Software &
Web Design Consultancy and Services.
PH: (970)266-0195 FAX: (970)266-0158

References:
- Re: [cobalt-users] Weekly Cron Error zcat
  - From: Colin J. Raven
- [cobalt-users] Universal CGI-BIN Problem
  - From: WebWorkshop
- [cobalt-users] don't touch formMail.pl - was Universal CGI-BIN Problem
  - From: Greg Hewitt-Long
- Re: [cobalt-users] don't touch formMail.pl - was Universal CGI-BIN Problem
  - From: Carrie Bartkowiak

Prev by Date: RE: [cobalt-users] Catch All On RAQ 3
Next by Date: Re: [cobalt-users] Catch All On RAQ 3
Previous by thread: Re: [cobalt-users] don't touch formMail.pl - was Universal CGI-BIN Problem
Next by thread: Re: [cobalt-users] don't touch formMail.pl - was Universal CGI-BIN Problem

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index